PROTECT

PROTECT stands for "Proactive Risk-Oriented Testing Ensuring Comprehensive Testing." and represents the key elements of security testing coverage in the context of application security. It emphasizes the proactive and risk-oriented approach to testing, ensuring that comprehensive testing practices are implemented to identify and mitigate potential security risks and vulnerabilities in applications.

Security testing coverage in the context of application security refers to the extent to which an application's security controls, vulnerabilities, and potential attack vectors are thoroughly tested and evaluated. It involves identifying and assessing security risks, vulnerabilities, and weaknesses to ensure that the application is adequately protected against potential threats. Here are key aspects of security testing coverage in the context of application security:

  1. Security Testing Objectives: The primary objective of security testing coverage is to identify security vulnerabilities and weaknesses in the application. This includes testing for common vulnerabilities such as injection attacks, cross-site scripting (XSS), cross-site request forgery (CSRF), authentication and authorization bypass, insecure configurations, and sensitive data exposure. The testing aims to ensure that all critical areas of the application's security are assessed.

  2. Comprehensive Test Scope: Security testing coverage should encompass all layers and components of the application, including the user interface, business logic, application programming interfaces (APIs), data storage, and network communication. It should also cover any integrated third-party components or libraries that may introduce security risks. By testing the entire application stack, organizations can identify vulnerabilities and potential attack vectors across different areas.

  3. Testing Methodologies: Various testing methodologies can be employed to achieve comprehensive security testing coverage. This includes manual testing, automated scanning, source code analysis, penetration testing, fuzz testing, and threat modeling. Each methodology has its strengths and focuses on different aspects of security, helping to ensure a wide range of vulnerabilities are identified and addressed.

  4. Compliance and Industry Standards: Security testing coverage should align with relevant compliance requirements and industry standards. This includes adhering to security frameworks like OWASP (Open Web Application Security Project) Top 10, SANS (SysAdmin, Audit, Network, Security) Top 25, and specific industry-specific regulations. By considering these standards, organizations can ensure that their security testing covers the most critical and prevalent vulnerabilities and follows recognized best practices.

  5. Risk-Based Approach: Security testing coverage should be driven by a risk-based approach, prioritizing testing efforts based on the potential impact and likelihood of exploitation for different vulnerabilities. This involves analyzing the application's threat landscape, understanding the business impact of potential attacks, and focusing testing efforts on areas with higher risk exposure. By prioritizing resources based on risk, organizations can achieve a more efficient and effective security testing coverage.

  6. Continuous Testing: Security testing coverage should not be a one-time activity but should be integrated into the entire software development lifecycle. Regular and ongoing security testing, including continuous integration and continuous deployment (CI/CD) pipelines, helps ensure that security vulnerabilities are identified and addressed throughout the development process. This helps mitigate risks associated with changes and updates to the application.

  7. Reporting and Remediation: The results of security testing coverage should be properly documented and communicated to relevant stakeholders. This includes reporting identified vulnerabilities, their potential impact, and recommendations for remediation. By having clear and actionable reports, organizations can address identified vulnerabilities and track progress in improving application security.

By ensuring comprehensive security testing coverage, organizations can identify and address vulnerabilities and weaknesses in their applications, reducing the risk of successful attacks and data breaches. It helps establish a strong security foundation for the application and provides confidence in its ability to withstand potential threats.

PROTECT Metrics

Security testing coverage refers to the extent or completeness with which an application or system is subjected to security testing activities. It measures the breadth and depth of the security assessment conducted on the target system to identify vulnerabilities, weaknesses, and potential security risks. Here are a few metrics that can be used to measure security testing coverage:

  1. Test Coverage Percentage: This metric measures the percentage of the application's code, features, or functionality that has been subjected to security testing. It quantifies the extent to which the application has been explored and assessed for security vulnerabilities. Test coverage can be measured at different levels, such as unit testing, integration testing, and system-level testing.

TCP = (Number of Tested Security Controls / Total Number of Security Controls) * 100.

  • The Test Coverage Percentage metric represents the percentage of security controls that have been tested out of the total number of security controls in the application. It can be calculated by dividing the number of tested security controls by the total number of security controls and multiplying the result by 100.

  • For example, if there are 50 security controls in the application and 40 of them have been tested, the TCP would be 80% ((40 / 50) * 100 = 80%).

  • Measuring TCP helps organizations assess the extent to which their application security controls have been tested. It provides insights into the comprehensiveness of the security testing efforts and helps identify areas where additional testing may be required. A higher TCP indicates a higher level of coverage, demonstrating a more thorough testing approach and reducing the chances of undiscovered security vulnerabilities.

  1. Vulnerability Discovery Rate: This metric focuses on the rate at which security vulnerabilities are discovered during the testing process. It measures the effectiveness of security testing in identifying potential risks and vulnerabilities within the application. A higher discovery rate indicates a more comprehensive and thorough security assessment.

VDR = (Number of Discovered Vulnerabilities / Total Test Duration)

  • The Vulnerability Discovery Rate metric represents the average number of vulnerabilities discovered per unit of time during application security testing. It can be calculated by dividing the number of discovered vulnerabilities by the total test duration.

  • For example, if 20 vulnerabilities are discovered during a 10-day testing period, the VDR would be 2 vulnerabilities per day (20 vulnerabilities / 10 days = 2 vulnerabilities per day).

  • Measuring VDR helps organizations assess the effectiveness and efficiency of their application security testing efforts. It provides insights into the rate at which vulnerabilities are being identified and helps identify the pace of vulnerability discovery. A higher VDR indicates a faster rate of vulnerability detection, demonstrating a proactive approach to identifying and addressing security weaknesses in the application.

  1. Test Case Coverage: Test case coverage measures the percentage of security test cases executed out of the total number of test cases designed for the application. It reflects the proportion of security scenarios and attack vectors that have been covered during the testing process. A higher test case coverage suggests a more comprehensive examination of the application's security posture.

TCC = (Number of Executed Test Cases / Total Number of Test Cases) * 100.

  • The Test Case Coverage metric represents the percentage of executed test cases out of the total number of test cases in the application security testing process. It can be calculated by dividing the number of executed test cases by the total number of test cases and multiplying the result by 100.

  • For example, if there are 100 test cases in the application security test suite and 80 of them have been executed, the TCC would be 80% ((80 / 100) * 100 = 80%).

  • Measuring TCC helps organizations assess the extent to which their application security test cases have been executed. It provides insights into the thoroughness and completeness of the testing efforts and helps identify areas where additional test coverage may be required. A higher TCC indicates a higher level of test case coverage, demonstrating a more comprehensive approach to testing the application's security controls and reducing the chances of undiscovered vulnerabilities.

  1. Vulnerability Severity Distribution: This metric assesses the distribution of vulnerability severities discovered during security testing. It categorizes vulnerabilities based on their severity levels (e.g., critical, high, medium, low) and provides insights into the balance of testing efforts across different risk levels. A balanced severity distribution indicates a well-rounded security testing approach that addresses both critical and lower-risk vulnerabilities.

VSD = (Number of Vulnerabilities of Specific Severity / Total Number of Vulnerabilities) * 100.

  • The Vulnerability Severity Distribution metric represents the percentage of vulnerabilities of a specific severity level out of the total number of vulnerabilities discovered during application security testing. It can be calculated by dividing the number of vulnerabilities of a specific severity level by the total number of vulnerabilities and multiplying the result by 100.

  • For example, if there are 50 vulnerabilities discovered during testing and 10 of them are categorized as critical severity, the VSD for critical severity would be 20% ((10 / 50) * 100 = 20%).

  • Measuring VSD helps organizations understand the distribution of vulnerabilities based on severity levels. It provides insights into the relative proportion of vulnerabilities at different severity levels, helping prioritize remediation efforts based on the severity and potential impact of the vulnerabilities. By monitoring VSD, organizations can ensure that higher severity vulnerabilities receive appropriate attention and resources for mitigation, thereby improving the overall security posture of the application.

  1. Test Depth: Test depth refers to the thoroughness and depth of the security testing activities performed. It measures the level of scrutiny applied during testing, including the depth of penetration testing, code review, security architecture analysis, and security controls assessment. A higher test depth indicates a more comprehensive evaluation of the application's security measures.

TD = (Number of Unique Test Cases Executed / Total Number of Potential Test Cases) * 100.

  • The Test Depth metric represents the percentage of unique test cases executed out of the total number of potential test cases in the application security testing process. It can be calculated by dividing the number of unique test cases executed by the total number of potential test cases and multiplying the result by 100.

  • For example, if there are 500 potential test cases in the application security test suite and 300 unique test cases have been executed, the TD would be 60% ((300 / 500) * 100 = 60%).

  • Measuring TD helps organizations assess the extent to which their application security testing has covered different aspects of the application's functionality, attack vectors, and potential vulnerabilities. It provides insights into the depth and thoroughness of the testing efforts, helping identify areas where additional test coverage may be required. A higher TD indicates a deeper level of test coverage, demonstrating a more comprehensive approach to uncovering potential security vulnerabilities and reducing the chances of undiscovered weaknesses.

  1. Compliance Coverage: This metric focuses on the coverage of security compliance requirements during testing. It assesses the extent to which the application adheres to relevant security standards, regulations, or industry best practices. Compliance coverage ensures that security testing addresses specific legal or regulatory requirements applicable to the application.

CC = (Number of Compliant Controls / Total Number of Required Controls) * 100.

  • The Compliance Coverage metric represents the percentage of compliant controls out of the total number of required controls for application security compliance. It can be calculated by dividing the number of compliant controls by the total number of required controls and multiplying the result by 100.

  • For example, if there are 80 required controls for application security compliance and 70 of them are compliant, the CC would be 87.5% ((70 / 80) * 100 = 87.5%).

  • Measuring CC helps organizations assess the level of compliance coverage achieved in their application security testing efforts. It provides insights into the extent to which the required controls have been implemented and are operating effectively. A higher CC indicates a higher level of compliance coverage, demonstrating a stronger adherence to the prescribed security controls and regulations. It also helps organizations identify areas where additional compliance measures or remediation efforts may be necessary to improve the overall compliance coverage.


These metrics provide insights into the scope, effectiveness, and thoroughness of security testing activities. By monitoring and tracking these metrics, organizations can assess their security testing coverage, identify areas for improvement, and ensure a comprehensive approach to identifying and addressing security vulnerabilities in their applications.