Abstract

Software security testing tools and methodologies are presently abundant, and the question no longer seems to be "if to test" for security, but rather "where and when to test" and "then what?". In this paper we present a review of security testing literature, and propose a software security testing scheme that exploits an intra-organisational reposi- tory of discovered vulnerabilities that closes the loop after the testing of one application is complete, providing useful input to the next application to be tested.