Telling Developers About Vulnerabilities Isn't Enough

by Bill Sempf 11. May 2018 15:25

To many security firms, a web application vulnerability assessment is a list of confirmed exploitable findings in a web application.  They index the site, run scans, manually test, so research, and write them all down.  The report will get you through a PCI audit.

That's not enough.  You must tell the developer how to fix the problem, and "apply patches" isn't enough.  If you find cross-site request forgery, and can't explain the developer how to fix the problem on their platform, you aren't doing enough.  "Add a token" isn't enough.  "Apply fix as appropriate for your language" isn't enough.  If you don't know, that's fine, but learn.  

We are, as an industry, doing a tremendous disservice to companies by selling them 68 pages of non actionable fluff for $10,000.  If you, as a tester, aren't sure how to fix it, look it up, ask someone, or work directly with the developer to find a solution.



Comments are closed

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites