It's one thing to uncover security flaws in software, but it's quite another to ensure the issues are properly...
resolved. In many penetration tests and Web security assessments I've performed, I have found solving the issues to be very challenging. The vulnerabilities are discovered, and the specific findings and solutions are documented in a formal report. Yet the solutions are left undone, including ones for higher priority security issues such as SQL injection, cross-site scripting and the lack of secure sockets layer, thus exposing login credentials. It's not all that different than shelfware and under-implemented security controls.
After the scoping phase, the follow-up phase is the second most important part of security-testing software. If you skip this phase, then the test process just created more liabilities than it solved. Once the report is received, be it a customized report from a consultant or a canned report from a tool like a Web vulnerability scanner, you and the responsible parties must determine what needs to be resolved. Even if the findings are already prioritized, no one is going to know your environment, culture and risk tolerance like your team will.
Obviously, you're not going to be able to fix everything, but you can fix the issues that matter in the context of your business. I recommend breaking your findings down into two categories: critical, which are issues that can be immediately exploited and cause harm to the business, and non-critical, which are issues and poor practices that could be exploited, especially when combined with other findings. You can prioritize from there based on the risk to sensitive information, ease of resolution (time, complexity, etc.) and other criteria that matter to your organization.
Best practices for software security tests
How to choose the best security assessment tool
Ten steps to mastering Web app security assessments
Nine ways to bolster application security after an attack
Dig Deeper on Software Security Test Best Practices
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.