Once you’ve completed a security assessment as a part of your web application development, it’s time to go down the path of remediating all of the security problems you uncovered. At this point, your developers, quality assurance testers, auditors, and your security managers should all be collaborating closely to incorporate security into the current processes of your software development lifecycle in order to eliminate application vulnerabilities. And with your Web application security assessment report in hand, you probably now have a long list of security issues that need to be addressed: low, medium, and high application vulnerabilities; configuration gaffes; and cases in which business-logic errors create security risk. For a detailed overview on how to conduct a Web application security assessment, take a look at the first article in this series, Web Application Vulnerability Assessment: Your First Step to a Highly Secure Web Site.
First Up: Categorize and Prioritize Your Application Vulnerabilities
The first stage of the remediation process within web application development is categorizing and prioritizing everything that needs to be fixed within your application, or Web site. From a high level, there are two classes of application vulnerabilities: development errors and configuration errors. As the name says, web application development vulnerabilities are those that arose through the conceptualization and coding of the application. These are issues residing within the actual code, or workflow of the application, that developers will have to address. Often, but not always, these types of errors can take more thought, time, and resources to remedy. Configuration errors are those that require system settings to be changed, services to be shut off, and so forth. Depending on how your organization is structured, these application vulnerabilities may or may not be handled by your developers. Oftentimes they can be handled by application or infrastructure managers. In any event, configuration errors can, in many cases, be set straight swiftly.
At this point in the web application development and remediation process, it’s time to prioritize all of the technical and business-logic vulnerabilities uncovered in the assessment. In this straightforward process, you first list your most critical application vulnerabilities with the highest potential of negative impact on the most important systems to your organization, and then list other application vulnerabilities in descending order based on risk and business impact.