Vulnerabilty Remediation Tips

Wednesday, January 29, 2014

Krishna Raja


Discovering vulnerabilities is often the main objective of security teams within large organizations.  This is achieved through initiatives such as penetration testing and source code review. But as we know, this is only the first step towards a secure organization. All those vulns need to be addressed, and the remediation process can often become cumbersome, and even confrontational, if not handled properly.

After you’ve completed your assessment and written up your report, and are ready to engage the app team with your findings, there are a few steps you can take to aid the remediation process:

  1. Review your findings internally – before engaging the app team, ensure you’ve met with your testers and have reviewed all vulnerabilities.  Review reproduction steps, and ensure you have all come to an agreement over the risk rating.  You will likely be questioned on the severity of at least a few vulns, so be prepared to defend your position.
  2. Review your findings with the dev team – instead of merely delivering an electronic copy of a report to the app team, schedule an assessment closeout meeting with them to cover all vulnerabilities.  Be prepared to answer any questions they may have, specifically about remediation.  If your tester cannot attend this meeting, then tip #1 above becomes all the more imperative.
  3. Review/Establish remediation expectations – your organization likely has a policy in place for remediating vulnerabilities.  The time allowed to remediate a given vulnerability is often inversely correlated to its severity.  These expectations should be communicated prior to starting the vulnerability assessment, during a kickoff meeting.
  4. Formulate a remediation plan – once vulnerabilities have been reviewed, and remediation expectations communicated, have the app team fill out a formalized remediation plan.  You should create a plan template.  Items to include: vuln ID, vuln title, severity, description (these fields should be pre-filled), plan, fix date, owner (these should be filled in by the dev team).

Cross-posted from the SC Labs Blog.

Privacy Vulnerabilities Webappsec->General
Post Rating I Like this!
Marie Newton The goal of the re median team is to deliver the appropriate remedy to the vulnerabilities which are occurring The tips mentioned above would be helpful for the remedian team.check out
Don Jackson Inside my company we've addressed this problem the old fashioned way, testing, remediation and testing again BEFORE an in house developed app or system goes to production. All too often remediation teams cannot get work completed because it’s too late because the app is already in use and developers have moved on to the next big thing or somebody is afraid the fix will break something else, well luckily we (our security department) has convinced… proved… demonstrated, however you’d like to characterize it, we’ve shown that having security involved from the ground up in the planning and building is best.
We all have individual projects that we are responsible for and based on the technology involved we can lean on each other for assistance, where I maybe stronger in the areas of SSL and database deployment while one of my security teammates is an expert in web based applications and deployment and another has more experience with mobile development, we assist\teach each other. It also helps that everyone in our security department has some level of experience conducting pen-testing and writing code. Also, management has allowed us to hold up a system if it does not meet the security requirements and best practices, and we got this buy-in because we showed our C-level people and other management how good security means less of an attack\threat surface for the bad guys to work with.
We (security) use retired servers running VMWare and Oracle VM Virtualbox where we try to duplicate as close as possible if we cannot have a copy of the system in question to do our testing on. We’ve also “trained” management to use the word REMEDIATION versus MITIGATION, because at one point I couldn’t tell if they even knew the difference, and to me that in itself has been the biggest positive in this whole experience for us, changing the mindset.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.