freshidea - Fotolia

Manage Learn to apply best practices and optimize your operations.

What are best practices for security-testing software?

How do testers manage and prioritize the security software vulnerabilities they find when security-testing software?

It's one thing to uncover security flaws in software, but it's quite another to ensure the issues are properly resolved. In many penetration tests and Web security assessments I've performed, I have found solving the issues to be very challenging. The vulnerabilities are discovered, and the specific findings and solutions are documented in a formal report. Yet the solutions are left undone, including ones for higher priority security issues such as SQL injection, cross-site scripting and the lack of secure sockets layer, thus exposing login credentials. It's not all that different than shelfware and under-implemented security controls.

Even if the findings are already prioritized, no one is going to know your environment, culture and risk tolerance like your team will.

After the scoping phase, the follow-up phase is the second most important part of security-testing software. If you skip this phase, then the test process just created more liabilities than it solved. Once the report is received, be it a customized report from a consultant or a canned report from a tool like a Web vulnerability scanner, you and the responsible parties must determine what needs to be resolved. Even if the findings are already prioritized, no one is going to know your environment, culture and risk tolerance like your team will.

Obviously, you're not going to be able to fix everything, but you can fix the issues that matter in the context of your business. I recommend breaking your findings down into two categories: critical, which are issues that can be immediately exploited and cause harm to the business, and non-critical, which are issues and poor practices that could be exploited, especially when combined with other findings. You can prioritize from there based on the risk to sensitive information, ease of resolution (time, complexity, etc.) and other criteria that matter to your organization.


Next Steps

Best practices for software security tests

How to choose the best security assessment tool

Ten steps to mastering Web app security assessments

Nine ways to bolster application security after an attack

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your team manage and prioritize the security software vulnerabilities you find when security-testing software?
Bug advocacy is a big deal and a skill in itself. I found that defect reports written in an abstract technical language are more likely to be ignored rather than those appealing to striking examples and emotions.
To be specific: for one product the tool reported "potential penetration weakness for drop down field" - it didn't look scary at all for the product owner. Then I filed a would-be legal record signing it as Palpatin from the Galaxy Far Far Away - using the weakness above - and the defect became freakishly dangerous.