Telling Developers About Vulnerabilities Isn't Enough

To many security firms, a web application vulnerability assessment is a list of confirmed exploitable findings in a web application.  They index the site, run scans, manually test, so research, and write them all down.  The report will get you through a PCI audit.

That's not enough.  You must tell the developer how to fix the problem, and "apply patches" isn't enough.  If you find cross-site request forgery, and can't explain the developer how to fix the problem on their platform, you aren't doing enough.  "Add a token" isn't enough.  "Apply fix as appropriate for your language" isn't enough.  If you don't know, that's fine, but learn.  

We are, as an industry, doing a tremendous disservice to companies by selling them 68 pages of non actionable fluff for $10,000.  If you, as a tester, aren't sure how to fix it, look it up, ask someone, or work directly with the developer to find a solution.

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList