security-testing

Before starting: Check for .agents/qa-project-context.md in the project root. It contains auth mechanisms, compliance requirements, and infrastructure details that determine which security checks apply.

Discovery Questions

1. Threat model: Has the team identified key assets, threat actors, and attack surfaces? If not, start with a lightweight threat model before writing security tests.
2. Auth mechanism: Session cookies, JWT, OAuth 2.0/OIDC, API keys, or multi-factor? Each has distinct test patterns.
3. Compliance requirements: SOC 2, HIPAA, PCI DSS, GDPR? These mandate specific security controls that must be validated.
4. Existing security tooling: Already running Snyk, Dependabot, SonarQube, or ZAP? Check CI config for existing security stages.
5. API surface: REST, GraphQL, gRPC? Each protocol has specific injection and authorization vulnerabilities.
6. Deployment model: Cloud (AWS/GCP/Azure), containers, serverless? Infrastructure misconfigurations are OWASP #5.