[WEB SECURITY] Request for information (Web application security testing)

Debasis Mohanty dm.mailinglists at gmail.com
Tue Feb 23 12:19:34 EST 2010

Do you have anything to add that might be helpful?

Assessment effort estimation? 

You may like to check this - 
TA-Mapper: Application Penetration Testing Effort Estimator


From: Léon Pauv [mailto:pauv.leon at gmail.com] 
Sent: 23 February 2010 16:15
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Request for information (Web application security

Hi everyone,

My name is Léon PAUV and I am currently preparing for a Master degree in IT
in France. As part of my degree course, I am writing a research paper
entitled “Testing the Web application security”, in which I need to analyze
today’s context of Web application security testing and its future

In order to gather supplementary information related to my subject, I looked
for security experts on the Internet and have been advised to post a message
on the WASC mailing list (sorry for the people that belongs to this list and
that I may already have contacted by e-mail).

It would be really helpful if some of you could answer the questionnaire (or
at least some of its questions) below.

Thank you all in advance for your time and consideration,

Best regards,


Analysis of the existent
1.    Who are the main actors in the field of Web application security and
especially in the testing part? Do you have any information regarding their
market share?

2.    Which testing methods/solutions (black-box, white-box, automated
scanner, etc.) are the most often used? Why?

3.    In your opinion, what are the most important criteria when choosing a

4.    What is the average cost of a security testing solution?

5.    What is the average budget invested by companies for the security of
their Web applications and more particularly for the testing part? What do
think about it?

Future of Web application security testing
1.    What are the limits of current testing methods/tools?

2.    What needs to be improved?

3.    What are the possible solutions?

4.    According to you, what is the best one and why? 

5.    Can it be easily implemented? What are its limits?
Do you have anything to add that might be helpful?

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list