It may seem simple to ensure your security verification efforts get good coverage. But since the dawn of the OWASP Top Ten in 2003, vendors, consultants, managers, and CISOs have been reporting their appsec coverage in a disorganized, inaccurate, and often wildly optimistic way.
Nobody in application security wants to touch this taboo topic.
For many application security vendors, “coverage” is the third rail —but perhaps the most critical part of your application security strategy.
“Coverage” is a deceptively complex concept, but in this Technical Brief, we break down the different dimensions of application security coverage in the following ways: