What makes a good application pen test? Metrics


When it comes to creating secure applications, nothing beats focusing on the basics: secure coding in development and then testing the application for security defects. Part of the testing regime should always include an in-depth application pen test. But how do organizations know they are getting the full benefit from such assessments?

What goes (or should go) into developing application security is well known. Developers should have their code vetted in their development environment. Their code should go through a series of quality and security tests in the development pipeline. Applications should be vetted again right after deployment. And, after all of that, it’s very likely that more vulnerabilities exist in the application that have yet to be uncovered.

Finding those stubborn flaws is where periodic application penetration tests come in; this is when an application is poked and prodded to see if its security controls work as intended and if it’s vulnerable to attack. Research firm Markets and Markets predicts that the entire penetration testing market will grow to $1.7 billion by 2021, up from $595 million in 2016, and that the web application penetration testing segment had the largest market size in 2016.

The difficulty in finding bugs throughout development, and as applications run in production, is why application security pen tests remain a critical part of any security program. These tests are how latent vulnerabilities such as cross-site scripting, SQL injection, remote code execution, and poor authentication are identified and hopefully sent for remediation. But what does a successful penetration test look like, and how should enterprises measure success, so that they can improve their results and get more value in the future?

Leave a Reply

Your email address will not be published. Required fields are marked *