Good = comprehensive assessments focusing on finding as many of the vulnerabilities as possible that bad guys really exploit. This requires an experienced pen-tester, a top-tier scanner, and a thorough threat-based testing methodology.
Fast = assessments are those completed within a couple days or more specifically within a given QA testing window where preferably any outstanding issues can be addressed before production release.
Cheap = assessments are those that can be routinely performed with each code change without exceeding the allocated budget.
The challenge is, as illustrated by the Project Triangle, that unfortunately you can’t have it all. Choices and tradeoffs must be made. As wikipedia elegantly puts it (Project Triangle): Like any human undertaking, projects need to be performed and delivered under certain constraints. Traditionally, these constraints have been listed as "scope," "time," and "cost.”
When it comes to website vulnerability assessments, enterprises are faced with a similar choice:
- Performed comprehensively and quickly, but it will not be cheap.
- Performed quickly and cheaply, but will likely lead to missed vulnerabilities and potentially a security incident.
- Performed comprehensively and cheaply, but it will take a long time.