Skip to content

Why AppSec Tools Must have Good Coverage

Why AppSec Tools Must have Good Coverage

What would you say if I told you your current application tools are only covering about 20% of your application? Saying that another way, you're missing 80% of the vulnerabilities in your app!

Good security is a combination of a low number of security vulnerabilities and coverage over the codebase.  If you're not getting coverage, your tools are leaving you in the dark.  Several studies of dynamic vulnerability scanning tools have shown coverage measurements of right around 20%.  These tools can't fill out forms or interact with an application in a way that generates the needed coverage.

Interestingly, static analysis tools don't get very good coverage either. There are a number of reasons for this. First, these tools don't analyze packaged libraries, which is frequently around 80% of the total code in an application. Further, static analysis engines often cannot properly identify entry points into complex framework-based code, and miss many real paths.

Contrast is explicit about your coverage. We measure exactly how much of your code has been analyzed, and even report exactly which methods still need to be exercised.

Screen Shot 2013 01 07 at 11.23.21 AM resized 600

Screen Shot 2013 01 07 at 11.25.41 AM resized 600

By exposing coverage information, you'll know exactly how much of your application has been security tested, and whether you have a good picture of the security within your application.

You can give it a try on your applications for free!

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.