[WEB SECURITY] security findings management

Taras oxdef at oxdef.info
Tue Dec 20 14:20:44 EST 2011


> For software security related problems I find it best to utilize the bug
> tracking system used by development. By using the existing system you
> don't need people to learn/maintain another tool, not to mention it
> shows up in the developers todo list during triage just like any other bug.

Totally agree! We also use single bug tracking system with developers to 
report and track security related bugs. Because security bug in the 
application from the developers point of view is also the bug. So using 
existing bug tracking solution is right decision. The advice is
to mark such bugs with special tag, e.g. "Security flaw". It is useful 
to easily sort out security bugs.

> I've written a few articles on this subject, the first outlines specific
> modifications that you
> can implement in your bugtracking system in order to better
> track/measure software security defects
>
> Tracking and understanding security related defects: Useful data points
> for shaping your SDLC program
> http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html
>
>
> The second article outlines prioritization/handling of these security
> defects once they've been filed.
>
> Setting the appropriate security defect handling expectations in
> development and QA
> http://www.qasec.com/2009/06/setting-the-appropriate-security-defect-handling-expectations-in-development-and-qa.html
>
>
>
>
> Regards,
> - Robert A
> WASC Co Founder/Moderator of The Web Security Mailing List
> http://www.webappsec.org/
> http://www.qasec.com/
> http://www.cgisecurity.com/
>
>
> On Thu, 15 Dec 2011, Lebeau Frederic wrote:
>
>> Hello, i'm looking for a tool to manage(keep trace, history, status) all
>> security issues found during dynamic testing or code review activities.
>> Does someone can help me?
>>
>> Thanks
>>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


-- 
Taras
http://oxdef.info
----
"Software is like sex: it's better when it's free." - Linus Torvalds




More information about the websecurity mailing list