SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

START FREE TRIAL

Why AppSec Tools Must have Good Coverage

What would you say if I told you your current application tools are only covering about 20% of your application? Saying that another way, you're missing 80% of the vulnerabilities in your app!

Good security is a combination of a low number of security vulnerabilities and coverage over the codebase.  If you're not getting coverage, your tools are leaving you in the dark.  Several studies of dynamic vulnerability scanning tools have shown coverage measurements of right around 20%.  These tools can't fill out forms or interact with an application in a way that generates the needed coverage.

Interestingly, static analysis tools don't get very good coverage either. There are a number of reasons for this. First, these tools don't analyze packaged libraries, which is frequently around 80% of the total code in an application. Further, static analysis engines often cannot properly identify entry points into complex framework-based code, and miss many real paths.

Contrast is explicit about your coverage. We measure exactly how much of your code has been analyzed, and even report exactly which methods still need to be exercised.

Screen Shot 2013 01 07 at 11.23.21 AM resized 600

Screen Shot 2013 01 07 at 11.25.41 AM resized 600

By exposing coverage information, you'll know exactly how much of your application has been security tested, and whether you have a good picture of the security within your application.

You can give it a try on your applications for free!

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years.

SUBSCRIBE TO THE BLOG