Navigating security scan findings

Security Analyst: “Hey boss, we’ve added a new security scan into our pipeline.”

Boss: *Sees hundreds of findings* “We will never go live at this rate.”

Does the above look/sound familiar? 😉

Previously we talked about why security reviews should be conducted and why and how we should keep track of our security risks. We also know that dealing with security scan findings is not simply just throwing the problem to software engineers expecting them to rectify in one day. It requires coordination and systematic approach between all the stakeholders. Hence in this article, we will be sharing on how to approach your first security scan findings.

1. Understanding security scan findings

The first and most important step in dealing with security scan findings is gaining a comprehensive understanding of the reported issues. Security scans may identify various vulnerabilities — outdated software, misconfigurations, weak passwords, exposed API keys, etc. Security tools that have built in dashboard usually will categorise them based on severity levels and potential impact, which are useful in helping to prioritise your effort.

Example of a dashboard view taken from Fortify

When you’ve successfully run your first scan, chances are, you will be bombarded with hundreds of findings especially when this happens late in the development cycle. Having someone who understands the scan findings and is familiar with the project structure is very important in this step! This person can help to sort out the false-positives and save time/efforts in fixing something that isn’t relevant. An example is when security tools are configured to connect to your web application via a different network route, you may get flagged with (lots of) false-positives.

2. Prioritisation and risk assessment

Not all security scan findings are of equal importance; prioritising vulnerabilities based on their potential impact on the system’s security is crucial. The rating given by the scanning tools should not be taken 100% at face value as they may not exactly align with your organisation/project risk matrix. Referring to your organisation/project risk matrix helps determine which issues pose the most significant threat and require immediate attention.

Check out our previous article about Analysing Risks.

3. Developing a remediation plan

Once vulnerabilities are prioritised, it’s time to develop a remediation plan. This plan should outline the steps required to address each identified issue systematically. In some cases, quick fixes may be available, while others may require more extensive changes/updates. This will require collaboration among the software engineers, security analyst, and project lead in order to meet the compliance requirement and project timeline.

4. Continuous monitoring, testing, and remediation

As we mature our processes from DevOps to DevSecOps, addressing security scan findings is no longer a one-time task near the end of your project cycle. Regular monitoring, testing, and remediation should be integrated into your process.

Scanning tools get new signatures regularly to pick up on the latest vulnerabilities. Periodic security testing ensures that existing security measures remain effective. Having a well-oiled team that can understand and work quickly to mitigate findings is essential for staying ahead of evolving cyber threats.

5. Documentation and reporting

Documentation is not only essential for accountability and compliance purposes, it can potentially save you from duplicated efforts in the future. From the initial security scan findings, discussions, and design decisions to remediation efforts, we should document them down as detailed as possible. This can be done via the security dashboard directly when we update the status of security findings, or even on the project documentation/JIRA ticket.

Proper documentations will take a lot of time and effort to do but this will serve as your knowledge-base as your project grows. When encountering similar findings/issues in the future, it will be easy for project members to just search and understand why certain decisions took place and why certain modules are designed this way.

Example of documenting remediation steps and decision

Dealing with security scan findings is a dynamic and ongoing process that requires a proactive and collaborative approach. By understanding the nature of vulnerabilities, prioritising based on your organisation’s risk matrix, developing comprehensive remediation plans and maintaining continuous monitoring, we can maximise the efficacy of security scans. It takes time building up capabilities and getting various stakeholders working together and sorting out the kinks.

Do share and discuss in the comment section below on your own experiences. Till then, stay safe and keep learning!

🧙🏼‍♀Team Merlin 💛
Application security is not any individual’s problem but a shared responsibility.