Penetration Testing
// Definition
Authorised, simulated attacks against a system to find security weaknesses. Usually performed by security specialists late in the lifecycle, complementing automated scanning rather than replacing it.
// Related terms
Authentication
The process of verifying who a caller is. Common schemes: API key, Bearer token, OAuth 2.0, mutual TLS. Distinct from authorisation, which decides what they're allowed to do.
Rate Limiting
An API protection mechanism that caps how many requests a client can make in a window. Tests should verify both the limit threshold and the response when exceeded (typically HTTP 429 with Retry-After).
Shift-Right
Validating quality in production — through monitoring, feature flags, canary releases, and chaos experiments — to catch issues that synthetic tests can't reproduce.
Learn more · Non-Functional Testing Overview
Chapter 3 · Lesson 3: Security Testing Tools — OWASP ZAP, Burp Suite, SonarQube