Scandariato, RiccardoRiccardoScandariatoWalden, JamesJamesWaldenJoosen, WouterWouterJoosen2023-03-072023-03-072013-112013 IEEE 24th International Symposium on Software Reliability Engineering, ISSRE 2013: 6698898, 451-460 (2013-12-01)http://hdl.handle.net/11420/14952Suppose you have to assemble a security team, which is tasked with performing the security analysis of your organization's latest applications. After researching how to assess your applications, you find that the most popular techniques (also offered by most security consultancies) are automated static analysis and black box penetration testing. Under time and budget constraints, which technique would you use first? This paper compares these two techniques by means of an exploratory controlled experiment, in which 9 participants analyzed the security of two open source blogging applications. Despite its relative small size, this study shows that static analysis finds more vulnerabilities and in a shorter time than penetration testing.enInformatikConference Paper10.1109/ISSRE.2013.6698898Other