“FIX IT!” Ain’t Gonna Cut It: Kicking Off a Software Security Remediation Project

Imagine this scenario: Your development team builds an application and puts it into production. Down the road, a customer asks you to do a security assessment. You run a scanner against the application and perhaps even do some manual penetration testing. The result is you end up with a long list of vulnerabilities and the customer wants them fixed. So the security team meets with the development team and the exchange goes something like this:

Thanks, security team! Very helpful! Come back any time…

If you’re going to spend the time and resources diverting development teams from building new features to fix security vulnerabilities all parties involved owe it to themselves to make sure the effort is successful. Based on our experience doing software security remediation projects the ones that are approached in a thoughtful and structured manner tend to do far better than ones based on a mandate of “FIX IT!”  We’ve developed a HOW-TO guide for software security remediation projects outlining just such a structure, and these projects start with an Inception phase.

The Inception phase is used to get all the stakeholders together and on the same page. Software security remediation projects are typically software development projects, not security testing projects and they need to be estimated and project managed as such. They also force people from different parts of an organization with different goals to work together. Before moving forward, teams need to agree on things like:

  •  Approximate budget and where the budget is coming from
  •  Desired (but realistic) timeline
  •  Specific compliance or audit issues that must be addressed
  •  Initial project success criteria (“fix all the CRITICAL and HIGH vulnerabilities” or “fix all public-facing cross-site scripting”)

Given this shared understanding the involved parties can start to work on planning the actual remediation effort, but in the absence of a consensus the remediation project likely does not have a clear mandate and this is a recipe for project failure.

Here is a short video talking a bit about the Inception phase for software security remediation projects.  Hopefully you find it to be a bit more constructive than the previous one.

Also, you can read the full HOWTO Guide for Software Security Vulnerability Remediation here:

Contact us for help getting software security remediation projects off to a solid start.


dan _at_ denimgroup.com


Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Remediation

One Response to ““FIX IT!” Ain’t Gonna Cut It: Kicking Off a Software Security Remediation Project”

  1. Dan Kuykendall

    Fantastic post, if everyone could improve their development effort like this, then we would be out of business. Good thing for us that you are the exception to the rule ;)

Leave a Reply

Your email address will not be published. Required fields are marked *