freshidea - Fotolia
It's one thing to uncover security flaws in software, but it's quite another to ensure the issues are properly resolved. In many penetration tests and Web security assessments I've performed, I have found solving the issues to be very challenging. The vulnerabilities are discovered, and the specific findings and solutions are documented in a formal report. Yet the solutions are left undone, including ones for higher priority security issues such as SQL injection, cross-site scripting and the lack of secure sockets layer, thus exposing login credentials. It's not all that different than shelfware and under-implemented security controls.
After the scoping phase, the follow-up phase is the second most important part of security-testing software. If you skip this phase, then the test process just created more liabilities than it solved. Once the report is received, be it a customized report from a consultant or a canned report from a tool like a Web vulnerability scanner, you and the responsible parties must determine what needs to be resolved. Even if the findings are already prioritized, no one is going to know your environment, culture and risk tolerance like your team will.
Obviously, you're not going to be able to fix everything, but you can fix the issues that matter in the context of your business. I recommend breaking your findings down into two categories: critical, which are issues that can be immediately exploited and cause harm to the business, and non-critical, which are issues and poor practices that could be exploited, especially when combined with other findings. You can prioritize from there based on the risk to sensitive information, ease of resolution (time, complexity, etc.) and other criteria that matter to your organization.
Best practices for software security tests
How to choose the best security assessment tool
Ten steps to mastering Web app security assessments
Nine ways to bolster application security after an attack
Dig Deeper on Software Security Test Best Practices
Related Q&A from Kevin Beaver
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading
The WannaCry TCP port 445 exploit returned the spotlight to Microsoft's long-abused networking port. Network security expert Kevin Beaver explains ... Continue Reading
While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.