Survey finds problems with pen testing

Fortify Software finds that most penetration testing fails to identify critical vulnerabilities

New research by application lifecycle security vendor Fortify Software has found that most penetration testing fails to identify critical vulnerabilities in products, and that testers have too much confidence in these techniques.

Over 58 percent of pen testers said that the test they run are adequate for finding vulnerabilities in applications, and nearly half said their testing could reach nearly 80 percent of their application's security-critical APIs.

But separate research carried out by Fortify found that automated and manual penetration testing reached only 25 percent, and in the portions of the apps they did cover, the tests failed to identify critical vulnerabilities.

"Most organisations admit they don't know how thorough their black box testing is, but they assume their tests are comprehensive and effective," said Fortify's chief scientist, Brian Chess. "Applying manual effort to customise the tools can significantly improve their effectiveness, but the tests still failed to achieve coverage numbers greater than 50 percent. Conclusion: black box tools aren't a good a substitute for good testing techniques."