How to know the security or penetration test coverage
Does anyone know how to understand the security or penetration test coverage?
I found the traditional method for functional test coverage measurement is not quite useful for security test. Because for security test, actually, you don't need to cover every logic branch. If you cover the whole URLs and parameters, basically, you cover everything.
One possible metric for coverage of a web application security assessment is the range of issues tested for. At a bare minimum, the OWASP Top 10 issues should be tested for, but a high quality assessment will properly assess business logic and application specific issues. Also, the tester should have an understanding of any specific technologies used by the web application (e.g. Adobe Flash, Google Gears).
Penetration testing is a specialist activity, so get a trustworthy and respected company to perform the testing. In the UK, the CHECK scheme is highly respected, a list of certified companies can be found here: http://www.crest-approved.org/member_companies.php
Full disclosure: I work for Verizon Business who offer penetration testing services.