Options
Static analysis versus penetration testing: a controlled experiment
Publikationstyp
Conference Paper
Publikationsdatum
2013-11
Sprache
English
Start Page
451
End Page
460
Article Number
6698898
Citation
2013 IEEE 24th International Symposium on Software Reliability Engineering, ISSRE 2013: 6698898, 451-460 (2013-12-01)
Contribution to Conference
Publisher DOI
Scopus ID
Publisher
IEEE
Suppose you have to assemble a security team, which is tasked with performing the security analysis of your organization's latest applications. After researching how to assess your applications, you find that the most popular techniques (also offered by most security consultancies) are automated static analysis and black box penetration testing. Under time and budget constraints, which technique would you use first? This paper compares these two techniques by means of an exploratory controlled experiment, in which 9 participants analyzed the security of two open source blogging applications. Despite its relative small size, this study shows that static analysis finds more vulnerabilities and in a shorter time than penetration testing.
DDC Class
004: Informatik