[WEB SECURITY] security findings management

Robert A. robert at webappsec.org
Mon Dec 19 12:26:31 EST 2011


Hello Lebeau,

For software security related problems I find it best to utilize the bug 
tracking system used by development. By using the existing system you 
don't need people to learn/maintain another tool, not to mention it shows 
up in the developers todo list during triage just like any other bug.

I've written a few articles on this subject, the first outlines specific modifications that you
can implement in your bugtracking system in order to better track/measure software security defects

  Tracking and understanding security related defects: Useful data points for shaping your SDLC program
  http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html

The second article outlines prioritization/handling of these security defects once they've been filed.

  Setting the appropriate security defect handling expectations in development and QA
  http://www.qasec.com/2009/06/setting-the-appropriate-security-defect-handling-expectations-in-development-and-qa.html



Regards,
- Robert A
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org/
http://www.qasec.com/
http://www.cgisecurity.com/


On Thu, 15 Dec 2011, Lebeau Frederic wrote:

> Hello, i'm looking for a tool to manage(keep trace, history, status) all
> security issues found during dynamic testing or code review activities.
> Does someone can help me?
>
> Thanks
>




More information about the websecurity mailing list