Why AppSec Tools Must have Good Coverage

What would you say if I told you your current application tools are only covering about 20% of your application? Saying that another way, you're missing 80% of the vulnerabilities in your app!

Good security is a combination of a low number of security vulnerabilities and coverage over the codebase.  If you're not getting coverage, your tools are leaving you in the dark.  Several studies of dynamic vulnerability scanning tools have shown coverage measurements of right around 20%.  These tools can't fill out forms or interact with an application in a way that generates the needed coverage.

Interestingly, static analysis tools don't get very good coverage either. There are a number of reasons for this. First, these tools don't analyze packaged libraries, which is frequently around 80% of the total code in an application. Further, static analysis engines often cannot properly identify entry points into complex framework-based code, and miss many real paths.

Contrast is explicit about your coverage. We measure exactly how much of your code has been analyzed, and even report exactly which methods still need to be exercised.

By exposing coverage information, you'll know exactly how much of your application has been security tested, and whether you have a good picture of the security within your application.

You can give it a try on your applications for free!