Tuesday, October 4, 2011

Dealing with security vulnerabilities ... er... bugs

A serious problem in many organizations is that development teams (and their business sponsors) don't take ownership for understanding and managing software security risks, and often try to ignore vulnerabilities or hide them. Without real pressure from the top, it's hard to convince developers and management that dealing with security vulnerabilities is a priority because vulnerabilities aren't requirements or real problems — they are potential problems and risks that can be put off until later.

This is wrong. Vulnerabilities found in pen testing and reviews and scans are either bugs — real problems in the code that should be fixed — or they are noise — false positives or motherhood that can be ignored. Treating them as something different and distinct and managing them in a different way is a mistake.

Read my latest post at the SANS AppSec Street Fighter blog on Dealing with Security Vulnerabilities.

1 comment:

Institute in Gurgaon said...

SAP software technology arrangements help its customers and accomplices with coordination of start to finish business processes. With tremendous innovative work SAP has created applications that can confront each business situation as for vertical and space of specific enterprise.
For More Info:- SAP HR Training in Gurgaon

Site Meter