Which of the following is NOT a common type of security testing?

Regulatory compliance checking is not typically categorized as a common type of security testing in the software development lifecycle. Instead, it refers to the process of ensuring that a software application meets specific legal, regulatory, or contractual obligations relevant to its operation. Compliance checking involves reviewing policies, regulations, and standards applicable to the industry and ensuring that the software adheres to these requirements.

In contrast, static code analysis, dynamic testing, and penetration testing are all recognized methods used to identify security vulnerabilities and verify the security posture of software applications. Static code analysis examines source code for potential vulnerabilities without executing the program, allowing for early detection of flaws. Dynamic testing, on the other hand, involves testing the application while it is running to identify runtime vulnerabilities. Penetration testing is an active approach that simulates an attack on the software to uncover security weaknesses by exploiting them, helping organizations understand their security exposure.

By understanding these distinctions, it becomes clear why regulatory compliance checking is not classified under common types of security testing, as it focuses more on adherence to external standards than on actively assessing the security of the application itself.