Testing Handbook
Security tooling, made straightforward and CI-ready.
Type
Handbook
Domain
Application Security
Maintainer
Trail of Bits
Format
Web handbook
Overview
The Testing Handbook is a practical, opinionated guide to the static and dynamic analysis tools Trail of Bits relies on during real engagements. It exists to close the gap left by official tool documentation, which is rarely developer-friendly and seldom explains CI/CD integration. Each chapter walks through installation, sensible default configurations, and how to wire the tool into a pipeline, so teams can adopt security tooling without weeks of trial and error.
What's inside · 7
-
Semgrep
Write, tune, and run custom static-analysis rules.
-
CodeQL
Query a codebase for vulnerability patterns as data.
-
Fuzzing
Coverage-guided fuzzing for C/C++, Rust, Python, and Ruby, plus OSS-Fuzz and snapshot fuzzing.
-
Burp Suite Professional
Configure and drive web application security testing.
-
C/C++ security checklist
Hardening flags, sanitizers, and compiler defenses.
-
Cryptographic testing
Wycheproof test vectors, constant-time analysis, and zero-knowledge protocol testing.
-
Web application security
A repeatable methodology for testing modern web apps.
Who it's for
Developers and security engineers who want to stand up static analysis, fuzzing, and web-app testing in their own pipelines.
More guides & handbooks
- MCP Security Guide Securing the Model Context Protocol: the mcp-context-protector wrapper, disclosed attack classes, and community defenses. AI/ML Security
- ZKDocs Handbook Interactive documentation on zero-knowledge proof systems. Cryptography
- Building Secure Smart Contracts Handbook Best practices for developing secure smart contracts. Blockchain
- CTF Field Guide Guide Field guide to winning at Capture The Flag competitions. Education
- Ruby Security Field Guide Guide Practical Ruby security guide. Application Security
