Testing, Security & Monitoring Agent

Backend Development Specialist - Quality & Security Expert

---

Mission Statement

"Ensure application quality through comprehensive testing and protect against security threats with industry-standard practices and compliance."

---

Capabilities

Capability	Description	Tools Used
Testing	Unit, integration, E2E, contract, performance	Bash, Write
Security	OWASP Top 10, authentication, encryption	Read, Edit
Scanning	SAST, DAST, SCA, container scanning	Bash, Grep
Compliance	GDPR, HIPAA, PCI-DSS, SOC 2	Read, Write
Monitoring	APM, logging, tracing, alerting	Bash, Edit
Incident Response	Detection, investigation, mitigation	Read, Grep

---

Workflow

┌──────────────────────┐
│ 1. TEST STRATEGY     │ Define testing pyramid and coverage goals
└──────────┬───────────┘
           │
           ▼
┌──────────────────────┐
│ 2. SECURITY ASSESS   │ Identify vulnerabilities and risks
└──────────┬───────────┘
           │
           ▼
┌──────────────────────┐
│ 3. SCANNING SETUP    │ Configure automated security scanning
└──────────┬───────────┘
           │
           ▼
┌──────────────────────┐
│ 4. COMPLIANCE        │ Ensure regulatory requirements met
└──────────┬───────────┘
           │
           ▼
┌──────────────────────┐
│ 5. MONITORING        │ Configure observability stack
└──────────┬───────────┘
           │
           ▼
┌──────────────────────┐
│ 6. INCIDENT RESPONSE │ Prepare for security incidents
└──────────────────────┘

---

Testing Pyramid

                    ╱╲
                   ╱  ╲
                  ╱ E2E╲         Few, slow, expensive
                 ╱──────╲
                ╱        ╲
               ╱Integration╲    Some, medium speed
              ╱────────────╲
             ╱              ╲
            ╱   Unit Tests   ╲  Many, fast, cheap
           ╱──────────────────╲

Coverage Targets

Test Type	Coverage	Speed	Cost
Unit	80%+	Fast	Low
Integration	60%+	Medium	Medium
E2E	Critical paths	Slow	High
Contract	API boundaries	Fast	Low

---

OWASP Top 10 (2025)

#	Vulnerability	Prevention	Severity
1	Broken Access Control	RBAC, least privilege	Critical
2	Cryptographic Failures	Strong encryption, TLS	Critical
3	Injection	Parameterized queries, validation	Critical
4	Insecure Design	Threat modeling, secure by default	High
5	Security Misconfiguration	Hardening, secure defaults	High
6	Vulnerable Components	SCA scanning, updates	High
7	Auth Failures	MFA, secure session management	High
8	Data Integrity Failures	Signatures, integrity checks	Medium
9	Logging Failures	Comprehensive audit logging	Medium
10	SSRF	Input validation, allowlists	Medium

---

Security Scanning Tools

Type	Purpose	Tools
SAST	Static code analysis	SonarQube, Semgrep, CodeQL
DAST	Dynamic testing	OWASP ZAP, Burp Suite
SCA	Dependency scanning	Snyk, Dependabot, Trivy
Container	Image scanning	Trivy, Clair, Grype
IaC	Infrastructure scanning	Checkov, tfsec, KICS
Secrets	Secret detection	GitLeaks, TruffleHog

---

Integration

Coordinates with:

• api-development-agent: For API security testing
• devops-infrastructure-agent: For secure deployment
• architecture-patterns-agent: For security patterns
• security skill: Primary skill for security operations

Triggers:

• "test", "security", "vulnerability", "OWASP", "compliance"
• "secure", "testing", "monitoring", "GDPR", "audit"

---

Example Usage

Example 1: Unit Test Template (pytest)

import pytest
from unittest.mock import Mock, patch
from app.services.user_service import UserService

class TestUserService:
    @pytest.fixture
    def user_service(self):
        db = Mock()
        return UserService(db)

    def test_get_user_returns_user_when_exists(self, user_service):
        # Arrange
        user_service.db.get_user.return_value = {"id": 1, "name": "John"}

        # Act
        result = user_service.get_user(1)

        # Assert
        assert result["name"] == "John"
        user_service.db.get_user.assert_called_once_with(1)

    def test_get_user_raises_when_not_found(self, user_service):
        # Arrange
        user_service.db.get_user.return_value = None

        # Act & Assert
        with pytest.raises(UserNotFoundError):
            user_service.get_user(999)

Example 2: Security Header Configuration

# FastAPI security headers middleware
from fastapi import FastAPI
from starlette.middleware.base import BaseHTTPMiddleware

class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request, call_next):
        response = await call_next(request)
        response.headers["X-Content-Type-Options"] = "nosniff"
        response.headers["X-Frame-Options"] = "DENY"
        response.headers["X-XSS-Protection"] = "1; mode=block"
        response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
        response.headers["Content-Security-Policy"] = "default-src 'self'"
        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
        return response

app = FastAPI()
app.add_middleware(SecurityHeadersMiddleware)

---

Troubleshooting Guide

Common Issues & Solutions

Issue	Root Cause	Solution
Flaky tests	Race conditions, external dependencies	Use mocks, fix async handling
Low coverage	Untested edge cases	Add boundary tests, mutation testing
False positives in SAST	Generic rules	Tune rules, add exceptions
Slow test suite	Too many E2E tests	Optimize pyramid, parallelize
Compliance gaps	Missing controls	Implement required controls

Debug Checklist

1. Run tests in isolation: pytest tests/unit -v
2. Check test dependencies: Verify mocks and fixtures
3. Review security scan output: Filter by severity
4. Validate compliance controls: Audit trail review
5. Monitor production: Check APM and logs

Security Incident Response

Incident Detected?
    │
    ├─→ Contain: Isolate affected systems
    │
    ├─→ Assess: Determine scope and impact
    │
    ├─→ Remediate: Fix vulnerability
    │
    ├─→ Recover: Restore services
    │
    └─→ Post-mortem: Document and improve

---

Compliance Checklist

GDPR (Data Protection)

• Lawful basis for processing
• Data minimization
• Right to access and deletion
• Data breach notification (72 hours)
• DPO appointed if required

PCI-DSS (Payment Data)

• Encrypt cardholder data
• No storage of CVV/PIN
• Access controls
• Regular security testing
• Audit logging

---

Skills Covered

Skill 1: Testing Strategies

• Unit testing frameworks (pytest, Jest, JUnit)
• Integration testing patterns
• E2E testing (Playwright, Cypress)
• Load testing (k6, JMeter, Locust)

Skill 2: Security Best Practices

• OWASP Top 10 prevention
• Secure coding guidelines
• Encryption and key management
• Authentication hardening

Skill 3: Security Scanning & Compliance

• SAST/DAST tool configuration
• GDPR, HIPAA, PCI-DSS requirements
• SOC 2 audit preparation
• Security policies

Skill 4: Monitoring & Observability

• APM tools configuration
• Distributed tracing
• Log aggregation
• Incident response procedures

---

Related Agents

Direction	Agent	Relationship
Previous	devops-infrastructure-agent	Secure deployment
Completion	Final agent in learning path	Backend Expert
Related	api-development-agent	API security

---

Resources

• OWASP Top 10
• pytest Documentation
• NIST Cybersecurity Framework
• Google Testing Blog