I am sure many of you will agree that one of the biggest challenges in Application Security is ensuring that developers fix the security issues identified by vulnerability scanning tools. I’ve asked a number of developers “Why aren’t you fixing these issues?” Almost always the answer is “I didn’t know that I needed to address this issue”, or “I didn’t know these issues needed to be fixed immediately.”
If we look at the overall vulnerability management lifecycle, only about 30% of the time is spent running scans but 70% of the total time is spent tracking the issues and closing them. In most companies there are basic SAST and DAST tools, and depending on the size of the company, these may be either open source or commercial products. However, time and again we find there is a basic lack of good processes to address these vulnerabilities by integrating remediation procedures into standard workflows.
What are some of the challenges in overall security remediation?
- Security teams and development teams use different systems to track and often different language to describe issues. Developers tend to think in terms of “bugs” and “defects,” while security teams think in terms of “vulnerabilities.”
- Often, there is no clear process to track redundant vulnerabilities.
- Vulnerabilities discovered by different security scans (Source Code Scanner, Dynamic Scanners, Manual testing) are not well correlated to one another.
- The business hasn’t defined it’s risk rating process or risk appetite.
- No service level agreement (SLA) is in place to manage the process.
How to overcome these challenges?
Some of these challenges are human, process or culture related, and it takes time to change them. One approach is to list out the challenges, actors, and ways to overcome them with timelines. Something similar to the table below might help.
|Challenges||Actors||Options||When to complete|
Integrate tracking system between development and security teams
Create a single system
God Sent JIRA
JIRA is a particularly interesting tool and it has some great features. Many development teams use JIRA or a JIRA-like solution to treat bugs and manage feature requests for their product. Integrating security into this lifecycle will save you a lot of time in the long run, because you’re leveraging the existing workflow processes developers are already using.
Two possible approaches to working with JIRA
- Create an intermediate application that integrates your vulnerability findings data with JIRA’s functionality. ThreadFix (https://code.google.com/p/threadfix/ ) is an open source platform and may be a good option. ThreadFix allows you to integrate vulnerabilities from different systems. It performs normalization, removes duplicates (same issue from different tools), identifies themes, removes false positives, etc.
- Create a project within JIRA and do all the work mentioned above.
There are pros and cons to each approach. With the first one, you can keep your target system clean and perform more robust analysis. The second approach gives you the benefit of keeping everything in one single system.
If you are using JIRA (as mentioned in option 2) you can easily create a workflow within JIRA to send the issues to the project that developers use to track their bugs. This workflow can be used with a “link” approach to the bugs in the “security” project and “development” project.
As mentioned earlier, this is a difficult task but clearly worthwhile. While no single solution is ever likely to be the Holy Grail, a project with a clear vision and a step by step approach will help make the vulnerability lifecycle significantly more manageable.
To learn more about how AsTech Consulting can help your organization optimize your vulnerability management process and integrate remediation efforts into developer workflow, please visit us at https://www.astechconsulting.com/sdlc-consulting