Remediation process
After the risks are determined and the vulnerabilities are prioritized, the security team can start the remediation process.
Here is a basic workflow:
- The Security Manager sets priorities for remediation and assigns remediation tasks to the development team. If the possibility for exploitation is minimal, the security manager might decide to accept some degree of risk and not assign some vulnerabilities for remediation. Monitoring the situation for a set period might be the best course of action in some circumstances.
- Developers fix the highest priority vulnerabilities.
- QA engineers run the appropriate tests against the new version of the application, confirm that remediation was successful, and forward the data to the security manager.
There are other courses of actions that security managers can take that go beyond fixing defects:
- Train developers on secure coding techniques
- Provide code libraries that address the issues
- Create test plans and scripts to detect defects early in the development lifecycle
- Establish best practices for secure coding in application specifications
Resolving security issues and viewing remediation assistance
AppScan Enterprise alerts you to security vulnerabilities and helps the resolution process.
Procedure
- In an application, click the Issue ID to open an About this Issue report dialog that provides advisories, fix recommendations, and a wealth of other information about the selected issue. See About this Issue report to learn what information the report provides.
- Read Troubleshooting False Positives in AppScan Enterprise.