/may 7, 2014

Security Testing: What's Your Remediation Plan?

By Jon Janego

Application security testing is finally mainstream, after years of effort. Whether it’s compliance-driven or a result of the increasing realization that information security is about a lot more than just firewalls, application security testing is happening in most organizations. Here at Veracode, we test thousands of apps a year – and that number is only growing. All of this testing is great! It’s bringing awareness to security flaws that may have otherwise lived in the wild until being exploited. However, it has surfaced a larger, more challenging issue – what do you do after the test is complete and you have your results? “Fix them!” is the obvious answer – but it isn’t always that simple. Let’s talk about a few of the things that get in the way:
  • Time Budgets - This is the number one issue that comes up in my experience – security testing is performed too late in the release cycle, and the product managers have not budgeted adequate time for the test and the remediation activities
  • Governance - The corporate security team may have the mandate to perform security testing – but they don’t have the mandate to stop a release of vulnerable code
  • Financial Budgets - The security testing budget may have only included the security test itself – not any remediation assistance or re-testing
  • Training - Developers try and fix security flaws, but are unable to do so before releasing to production
  • Poor Results Quality - The security tester or platform may have found security flaws, but not clearly explained how to replicate them– developers may not even know how to replicate the test to check if their fix works

None of these are exactly technical problems – these are management issues. IT leadership and security and development teams can take a few strategies to ensure that application security testing leads to effective remediation:

Budget Security Testing and Remediation into Your SDLC

  • Whether Agile or Waterfall – security testing needs to be an explicit part of the release schedule so that expectations around testing and remediation are set properly at the beginning of a project

Streamline the Testing and Re-testing Process

  • If you’re using an automated platform (like Veracode) – allow the development teams to submit their own tests and to re-test them without needing to involve outside teams
  • If working with manual penetration testers - coordinate closely to ensure that re-testing is possible with your schedule requirements - and make re-testing part of the pen test project budget

Developer Education

  • Train your development teams on secure coding practices!
  • Having a “security focal” developer is a model that works well – a senior developer who can answer other team members’ security questions

Empower Security Teams

  • Give information security teams the final call if an application can be released
  • Security teams aren’t “getting in the way” – they’re trying to protect users and the company brand

Veracode helps support these activities in several ways. Our self-service testing platform makes it simple for developers to rescan applications. Additionally, our APIs can integrate with build platforms, simplifying the testing process even further. Our security consulting team is available to all customers to provide technical remediation support for flaws identified in the testing process. And our program management team helps to build effective application security testing processes. Application security testing without a clear remediation plan can be, in some ways, worse than no testing at all. Testing without a remediation plan shows that the organization tried to find security flaws, but didn’t follow the process all of the way through. That is the type of mistake that can lead to some major finger pointing and potential liability in the case of a security breach. And while each organization is different, what consistently works in most cases is to empower both the security and development teams to take charge of their security testing processes, with the clear goal in mind of fixing the identified flaws. Nobody wants to release flawed code, but sometimes teams are pressured to do just that. Making security testing a seamless part of the development cycle will improve the overall security of the business, leading to happier customers, investors, and - developers!

Related Posts

By Jon Janego

Senior Product Manager for Veracode Static analysis. Jon is responsible for the strategy of all Veracode Static Analysis features. Jon has been with Veracode since 2013, and has been working in information security since 2008 in a variety of consulting and product-oriented roles. Jon lives in Chicago, IL.