Q
Manage Learn to apply best practices and optimize your operations.

What are best practices for security-testing software?

How do testers manage and prioritize the security software vulnerabilities they find when security-testing software?

It's one thing to uncover security flaws in software, but it's quite another to ensure the issues are properly...

resolved. In many penetration tests and Web security assessments I've performed, I have found solving the issues to be very challenging. The vulnerabilities are discovered, and the specific findings and solutions are documented in a formal report. Yet the solutions are left undone, including ones for higher priority security issues such as SQL injection, cross-site scripting and the lack of secure sockets layer, thus exposing login credentials. It's not all that different than shelfware and under-implemented security controls.

Even if the findings are already prioritized, no one is going to know your environment, culture and risk tolerance like your team will.

After the scoping phase, the follow-up phase is the second most important part of security-testing software. If you skip this phase, then the test process just created more liabilities than it solved. Once the report is received, be it a customized report from a consultant or a canned report from a tool like a Web vulnerability scanner, you and the responsible parties must determine what needs to be resolved. Even if the findings are already prioritized, no one is going to know your environment, culture and risk tolerance like your team will.

Obviously, you're not going to be able to fix everything, but you can fix the issues that matter in the context of your business. I recommend breaking your findings down into two categories: critical, which are issues that can be immediately exploited and cause harm to the business, and non-critical, which are issues and poor practices that could be exploited, especially when combined with other findings. You can prioritize from there based on the risk to sensitive information, ease of resolution (time, complexity, etc.) and other criteria that matter to your organization.

 

Next Steps

Best practices for software security tests

How to choose the best security assessment tool

Ten steps to mastering Web app security assessments

Nine ways to bolster application security after an attack

This was last published in September 2014

Dig Deeper on Software Security Test Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your team manage and prioritize the security software vulnerabilities you find when security-testing software?
Cancel
Bug advocacy is a big deal and a skill in itself. I found that defect reports written in an abstract technical language are more likely to be ignored rather than those appealing to striking examples and emotions.
To be specific: for one product the tool reported "potential penetration weakness for drop down field" - it didn't look scary at all for the product owner. Then I filed a would-be legal record signing it as Palpatin from the Galaxy Far Far Away - using the weakness above - and the defect became freakishly dangerous.
Cancel

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close