London software testing news UK

Overconfidence in application penetration testing

Posted in security testing,Software testing by testing in London on May 12, 2007

From Net Security

Fortify Software has released a report, entitled Misplaced Confidence in Application Penetration Testing, that details overconfidence in application penetration testing.

The report highlights the poor understanding amongst users of application penetration testing on how to gauge the effectiveness of their penetration tests. It contains both a survey of security testers and an in-depth experiment to validate the survey results. While the survey revealed high expectations of application penetration tests, the experiment showed that automated and manual tests often reached only 25 percent of an application’s security critical APIs, leaving large portions of the code untested. In addition, the tests failed to identify critical vulnerabilities within the parts of the application they did cover.

This study exposed a significant gap between the expectations of consumers of application penetration testing and the reality of the results when measured in a systematic and objective manner. The results showed that at best, one of the tools achieved 29 percent coverage averaged across five applications. Knowing that most companies augment automated testing procedures with manual testing, the tester attempted to increase the coverage percentages by adding manual efforts. Although these results showed an average increase in coverage of 19 percent, they still missed more than half of the vulnerable APIs in the applications.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: