Erkang Zheng

When it comes to assessing the security risk of a software application, relying solely on automated testing tools can provide an incomplete view. Security teams often employ tools such as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) scanners, which generate a number of findings and assign severity ratings. These findings are then used to determine the risk associated with the application.

However, this approach fails to consider crucial factors. Merely comparing the number of findings or the severity of those findings between applications does not necessarily indicate their relative security or risk. For instance, an internal application used by 10 users with more numerous or severe findings may be less risky than a public-facing production app with a million users and with much fewer findings. The context in which the application operates greatly influences its risk profile.

Similarly, the frequency of testing and the application’s history play crucial roles in assessing its security.

In order to achieve a comprehensive and accurate measurement of an application’s security risk, a holistic approach is necessary. I’d like to introduce an automated application risk modeling process, continuous application risk evaluation ...