[Owasp-leaders] Static analysis vs Automatic Dynamic vs Manual Testing
Matt Tesauro
matt.tesauro at owasp.org
Mon May 2 23:20:09 EDT 2011
I'm working on a presentation geared at auditors who are reviewing
application security efforts.
I remember some numbers being gathered by some entity around what coverage
you get with static analysis vs automatic dynamic vs manual testing. I want
to say MITRE or someone like that did the work.
I have this from WASC: (which is great)
http://projects.webappsec.org/w/page/13246989/Web-Application-Security-Statistics
But I'm looking for some more numbers to demonstrate the value of a unified
application security program which utilize all three elements.
One of the things I want to dispel is the idea that "I ran scanner X against
my web app, therefore I am secure" particularly when other elements of a
good app sec program are considered unnecessary. I know the arguments, I'm
hoping for some 3rd party numbers to back it up.
Additionally, any good numbers around the rise of applications, esp web apps
as the new attack surface of choice would be useful.
Thanks in advance.
Cheers!
--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110502/ffc249d3/attachment.html
More information about the OWASP-Leaders
mailing list