DocumentCode :
665556
Title :
Static analysis versus penetration testing: A controlled experiment
Author :
Scandariato, Riccardo ; Walden, James ; Joosen, Wouter
Author_Institution :
iMinds-DistriNet, KU Leuven, Leuven, Belgium
fYear :
2013
fDate :
4-7 Nov. 2013
Firstpage :
451
Lastpage :
460
Abstract :
Suppose you have to assemble a security team, which is tasked with performing the security analysis of your organization´s latest applications. After researching how to assess your applications, you find that the most popular techniques (also offered by most security consultancies) are automated static analysis and black box penetration testing. Under time and budget constraints, which technique would you use first? This paper compares these two techniques by means of an exploratory controlled experiment, in which 9 participants analyzed the security of two open source blogging applications. Despite its relative small size, this study shows that static analysis finds more vulnerabilities and in a shorter time than penetration testing.
Keywords :
program diagnostics; program testing; public domain software; automated static analysis; black box penetration testing; open source blogging applications; Context; Databases; Manuals; Productivity; Security; Software; Testing;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Software Reliability Engineering (ISSRE), 2013 IEEE 24th International Symposium on
Conference_Location :
Pasadena, CA
Type :
conf
DOI :
10.1109/ISSRE.2013.6698898
Filename :
6698898
Link To Document :
https://search.ricest.ac.ir/dl/search/defaultta.aspx?DTC=49&DC=665556
بازگشت