Security testing methods: SAST (source code), DAST (running app), IAST (runtime instrumentation), fuzzing (random input), manual pen test (logic/complex issues), dependency scanning (SCA), secret scanning (credentials in code).
"Shift left" = find security issues early in SDLC when they're cheapest to fix. CI/CD pipeline integration: SAST + SCA + secret scanning on every commit. DAST on every deployment to staging. Manual pen test quarterly or for major releases. Automate what you can; manual testing for what automation misses.