As with many other business analysis issues, there are three sides to the story when looking at Web application security testing: yours, the findings of your vulnerability assessment, and the truth. Whether you’re using a commercial or open source scanner, you’re undoubtedly going to glean a lot of information and come across vulnerabilities. The problem is that many of these Web application security holes aren’t as big a deal as they may seem. Regardless of any marketing fluff or pre-canned security policies and reports, your organization’s network, business needs, and risk tolerance dictate what really matters when it comes to sorting through all the results you get when performing a vulnerability assessment.
Web application security testing tools are extremely savvy and are able to root out vulnerabilities in minutes that would take the best hacker in the world hours, months, or more to find. The issue is that you’ve got to take the tool results and determine what actually matters in your environment. We’ve seen inexperienced Web application security consultants, managed security service providers, and auditors run vulnerability assessment scans and then hand the results over to their clients purporting they have a bunch of problems that need to be fixed. Likewise, we’ve seen network administrators absolutely freak out when they see that their Web application security testing tool has found a dozen or more vulnerabilities. They believe the sky is falling and immediately run to management asking for more budget to buy more technology to fix the problems.
This document is in PDF format. To view it click here.