Discovering vulnerabilities is often the main objective of security teams within large organizations. This is achieved through initiatives such as penetration testing and source code review. But as we know, this is only the first step towards a secure organization. All those vulns need to be addressed, and the remediation process can often become cumbersome, and even confrontational, if not handled properly.
After you’ve completed your assessment and written up your report, and are ready to engage the app team with your findings, there are a few steps you can take to aid the remediation process:
- Review your findings internally — before engaging the app team, ensure you’ve met with your testers and have reviewed all vulnerabilities. Review reproduction steps, and ensure you have all come to an agreement over the risk rating. You will likely be questioned on the severity of at least a few vulns, so be prepared to defend your position.
- Review your findings with the dev team — instead of merely delivering an electronic copy of a report to the app team, schedule an assessment closeout meeting with them to cover all vulnerabilities. Be prepared to answer any questions they may have, specifically about remediation. If your tester cannot attend this meeting, then tip #1 above becomes all the more imperative.
- Review/Establish remediation expectations — your organization likely has a policy in place for remediating vulnerabilities. The time allowed to remediate a given vulnerability is often inversely correlated to its severity. These expectations should be communicated prior to starting the vulnerability assessment, during a kickoff meeting.
- Formulate a remediation plan — once vulnerabilities have been reviewed, and remediation expectations communicated, have the app team fill out a formalized remediation plan. You should create a plan template. Items to include: vuln ID, vuln title, severity, description (these fields should be pre-filled), plan, fix date, owner (these should be filled in by the dev team).