Let’s say you’ve just had a pen test or security scan performed on your application. You review the list of findings and get to work on remediation. Apart from obvious shortcomings of any individual single assessment technique, you may also be doing a disservice to meeting your business goals. Here’s why:
The goal of your assessment is likely to understand open risks in your application with the goal of remediating or otherwise compensating for those risks. In most cases you only have a limited amount of developer time to fix security issues as they try to juggle building business value with new features. The problem is that by focusing remediation efforts on what a scanner or pen test finds, you are monopolizing precious developer time to fix the issues that technique can find rather than the risks that actually matter to your business.
For example, suppose your scanner identified Missing HttpOnly cookie flag as a finding. At the same time, your scanner was unable to find the kind of basic authorization flaws that grab international headlines, such as the ‘delete any photo on Facebook’ bug that a researcher found last week. By focusing on the scanner result, you may be spending precious developer time on the cookie flag even though the authorization issue is a much bigger risk to your organization.
A more sensible approach is to start with identifying the risks that you care about, either through automated security requirements analysis, threat modeling, or some other technique. With risks identified, you determine which of those risks your assessment technique is capable of finding and which ones it can’t find. Use other techniques to assess the gaps, either by manual testing/code review or — if resources are tight — just asking developers if they do things like perform authorization checks on all API calls. As we’ve said before, coming up with a list of risks you care about doesn’t prevent you from looking for other kinds of vulnerabilities. It does, however, allow you to focus your efforts on the risks which can be harmful to your business since 78% of real incidents are easily preventable.