freshidea - Fotolia
It's one thing to uncover security flaws in software, but it's quite another to ensure the issues are properly resolved. In many penetration tests and Web security assessments I've performed, I have found solving the issues to be very challenging. The vulnerabilities are discovered, and the specific findings and solutions are documented in a formal report. Yet the solutions are left undone, including ones for higher priority security issues such as SQL injection, cross-site scripting and the lack of secure sockets layer, thus exposing login credentials. It's not all that different than shelfware and under-implemented security controls.
After the scoping phase, the follow-up phase is the second most important part of security-testing software. If you skip this phase, then the test process just created more liabilities than it solved. Once the report is received, be it a customized report from a consultant or a canned report from a tool like a Web vulnerability scanner, you and the responsible parties must determine what needs to be resolved. Even if the findings are already prioritized, no one is going to know your environment, culture and risk tolerance like your team will.
Obviously, you're not going to be able to fix everything, but you can fix the issues that matter in the context of your business. I recommend breaking your findings down into two categories: critical, which are issues that can be immediately exploited and cause harm to the business, and non-critical, which are issues and poor practices that could be exploited, especially when combined with other findings. You can prioritize from there based on the risk to sensitive information, ease of resolution (time, complexity, etc.) and other criteria that matter to your organization.
Best practices for software security tests
How to choose the best security assessment tool
Ten steps to mastering Web app security assessments
Nine ways to bolster application security after an attack
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading