Software applications, and particularly software applications which may be accessible over a computer network, may be vulnerable to attacks by unauthorized users. For example, such unauthorized users may attempt to access a software application in order to gain access to data associated with the software application, or to cause the software application to perform a function that is not desired or permitted by a provider thereof.
In order to thwart the efforts of such unauthorized users, developers or other providers of software applications may preemptively execute potential test attacks against a given software application, in order to test an ability of the software application to resist such attacks (including identifying and correcting particular susceptibilities with respect to specific types of potential attacks). However, it may be difficult to perform such security testing of a software application in a manner that is efficient, scalable, repeatable, and effective.
For example, such security testing may be required to span an entire development life cycle of a software application, from application design all the way through executions of specific, deployed implementations of the software application. Moreover, many types of attacks exist, and it may be difficult or impossible to test all of them, given a quantity of available resources.
In practice, software providers may rely on developers of a software application to execute security tests, on the theory that the software developers will be effective in this regard, as a result of the developer's extensive knowledge of the software application in question. However, such software developers may not be experts in the field of application security testing. Conversely, some software providers may utilize third-party security experts to test specific software applications, on the theory that such security experts have a broad and extensive knowledge of potential threats. However, such security experts may not have a desired level of expertise with respect to a specific software application being tested. Further, such third-party security experts may wish to maintain restricted, proprietary knowledge of their testing techniques, so that the provider of the software application under testing does not have transparency or repeatability with respect to the tests performed.
As a result of these and other challenges presented by application security testing, providers of software applications are often unable to achieve a desired quality of security testing. Consequently, the providers may be forced either to expend undesirably large quantities of time and money in an attempt to obtain satisfactory levels of security testing, and/or may ultimately deploy insufficiently-tested applications.