Talking with SANS About Remediation

We’ve been saying for a while that software vulnerability remediation is the next big problem in the application and software security space. Finding vulnerabilities isn’t the problem – fixing them is. And it isn’t just the mechanics of fixing the vulnerabilities – although lots of organizations have problems with that as well. Rather it is the risk-ranking and prioritization of those vulnerabilities and the justification of diverting expensive developer-hours away from building new features toward addressing technical debt that has grown up over time. (See Jeremiah Grossman‘s recent blog post “Web Developer Resources are Scarce, Security is a Trade-Off” for a succinct description of the problem)
These remediation stats don’t provide an easy answer to those problems, but they do start to provide a quantitative basis for organizations to understand likely costs and test out different scenarios. “What would it cost to get rid of SQL injection company-wide?” “How long will it take us to get rid of all Critical and High vulnerabilities?” “Is the estimate provided by the development team unrealistic?” Every organization is going to have to make their own decision about how to move forward; hopefully these stats put them in a better position to make that decision an informed one.
See the full SANS “Ask the Expert” exchange here.
Also you can see the all of the data we’ve released in the RSA presentation “Remediation Statistics: How Much Does Fixing Application Vulnerabilities Cost” here:

dan _at_

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

3 Responses to “Talking with SANS About Remediation”

  1. ID authentication

    Really trustworthy blog. Please keep updating with great posts like this one. I have bookmarked your site and am about to email it to a few friends of mine that I’m sure will appreciate it as well !

  2. Profit From Home Academy

    This information is priceless. When can I find out more?


    I simply could not leave your website prior to suggesting that I extremely loved the usual information a person provide for your guests? Is gonna be again continuously to investigate cross-check new posts

Leave a Reply

Your email address will not be published. Required fields are marked *