Hello, i'm looking for a tool to manage(keep trace, history, status) all security issues found during dynamic testing or code review activities. Does someone can help me? Thanks

I've seen some of our larger clients use Rsam -- http://www.rsam.com/products_appasses.htm. From what I've seen, it does everything you want, but I don't know the cost of this product. It may or may not be prohibitive. -Dave On Thu, Dec 15, 2011 at 4:44 PM, Lebeau Frederic <frederic.lebeau@websurf.be > wrote: > Hello, i'm looking for a tool to manage(keep trace, history, status) all > security issues found during dynamic testing or code review activities. > Does someone can help me? > > Thanks > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >

You could also try any software issue tracking system, such as one of those listed here: http://en.m.wikipedia.org/wiki/Comparison_of_issue-tracking_systems On 16 Dec 2011, at 00:44, Lebeau Frederic <frederic.lebeau@websurf.be> wrote: > Hello, i'm looking for a tool to manage(keep trace, history, status) all security issues found during dynamic testing or code review activities. > Does someone can help me? > > Thanks > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Your question is perhaps a bit unclear. Are you looking for a formal issue/bug tracking system (.e.g: Trac) or a system for ingesting log files ? If if it the latter maybe something like Splunk (paid and free) may fit: http://en.wikipedia.org/wiki/Splunk Randy At 6:04 PM +0200 12/16/11, Stephen De Vries wrote: >You could also try any software issue tracking system, such as one >of those listed here: > >http://en.m.wikipedia.org/wiki/Comparison_of_issue-tracking_systems > > >On 16 Dec 2011, at 00:44, Lebeau Frederic <frederic.lebeau@websurf.be> wrote: > >> Hello, i'm looking for a tool to manage(keep trace, history, >>status) all security issues found during dynamic testing or code >>review activities. >> Does someone can help me? >> >> Thanks >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >_______________________________________________ >The Web Security Mailing List > >WebSecurity RSS Feed >http://www.webappsec.org/rss/websecurity.rss > >Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >WASC on Twitter >http://twitter.com/wascupdates > >websecurity@lists.webappsec.org >http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hello Lebeau, For software security related problems I find it best to utilize the bug tracking system used by development. By using the existing system you don't need people to learn/maintain another tool, not to mention it shows up in the developers todo list during triage just like any other bug. I've written a few articles on this subject, the first outlines specific modifications that you can implement in your bugtracking system in order to better track/measure software security defects Tracking and understanding security related defects: Useful data points for shaping your SDLC program http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html The second article outlines prioritization/handling of these security defects once they've been filed. Setting the appropriate security defect handling expectations in development and QA http://www.qasec.com/2009/06/setting-the-appropriate-security-defect-handling-expectations-in-development-and-qa.html Regards, - Robert A WASC Co Founder/Moderator of The Web Security Mailing List http://www.webappsec.org/ http://www.qasec.com/ http://www.cgisecurity.com/ On Thu, 15 Dec 2011, Lebeau Frederic wrote: > Hello, i'm looking for a tool to manage(keep trace, history, status) all > security issues found during dynamic testing or code review activities. > Does someone can help me? > > Thanks >

A good bug management system with proper authentication and authorization management system shall suffice. You can take a look @ Bugzilla. However, most of traditional systems are not equip to carry all data that you may ant to put as security-bug. So you might want to either change some of these open source systems to add some fields or write down your own.  Also, multiple copies of pentest report also helps sometime.(Restricted access under your subversion system) ________________________________ From: Lebeau Frederic <frederic.lebeau@websurf.be> To: "websecurity@webappsec.org" <websecurity@webappsec.org> Sent: Friday, December 16, 2011 4:14 AM Subject: [WEB SECURITY] security findings management Hello, i'm looking for a tool to manage(keep trace, history, status) all security issues found during dynamic testing or code review activities. Does someone can help me? Thanks _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

> For software security related problems I find it best to utilize the bug > tracking system used by development. By using the existing system you > don't need people to learn/maintain another tool, not to mention it > shows up in the developers todo list during triage just like any other bug. Totally agree! We also use single bug tracking system with developers to report and track security related bugs. Because security bug in the application from the developers point of view is also the bug. So using existing bug tracking solution is right decision. The advice is to mark such bugs with special tag, e.g. "Security flaw". It is useful to easily sort out security bugs. > I've written a few articles on this subject, the first outlines specific > modifications that you > can implement in your bugtracking system in order to better > track/measure software security defects > > Tracking and understanding security related defects: Useful data points > for shaping your SDLC program > http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html > > > The second article outlines prioritization/handling of these security > defects once they've been filed. > > Setting the appropriate security defect handling expectations in > development and QA > http://www.qasec.com/2009/06/setting-the-appropriate-security-defect-handling-expectations-in-development-and-qa.html > > > > > Regards, > - Robert A > WASC Co Founder/Moderator of The Web Security Mailing List > http://www.webappsec.org/ > http://www.qasec.com/ > http://www.cgisecurity.com/ > > > On Thu, 15 Dec 2011, Lebeau Frederic wrote: > >> Hello, i'm looking for a tool to manage(keep trace, history, status) all >> security issues found during dynamic testing or code review activities. >> Does someone can help me? >> >> Thanks >> > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org -- Taras http://oxdef.info ---- "Software is like sex: it's better when it's free." - Linus Torvalds

I second that, several clients of ours are using the bug tracking system of the development. I can recommend the use of Jira which for a limited number of users is free (around 10$ per year for corporate license and they donate it! ) and it also helps track down the development process so actually integrating with SDLC is rather straightforward (as straightforward goes with these processes ;-)) Kind Regards, Boaz Shunami Do great things while they are yet small, hard things while they are yet easy -----Original Message----- From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Taras Sent: Tuesday, December 20, 2011 9:21 PM To: Robert A. Cc: websecurity@lists.webappsec.org Subject: Re: [WEB SECURITY] security findings management > For software security related problems I find it best to utilize the > bug tracking system used by development. By using the existing system > you don't need people to learn/maintain another tool, not to mention > it shows up in the developers todo list during triage just like any other bug. Totally agree! We also use single bug tracking system with developers to report and track security related bugs. Because security bug in the application from the developers point of view is also the bug. So using existing bug tracking solution is right decision. The advice is to mark such bugs with special tag, e.g. "Security flaw". It is useful to easily sort out security bugs. > I've written a few articles on this subject, the first outlines > specific modifications that you can implement in your bugtracking > system in order to better track/measure software security defects > > Tracking and understanding security related defects: Useful data > points for shaping your SDLC program > http://www.qasec.com/2011/01/tips-for-tracking-security-related-defect > s-in-your-bugtracker.html > > > The second article outlines prioritization/handling of these security > defects once they've been filed. > > Setting the appropriate security defect handling expectations in > development and QA > http://www.qasec.com/2009/06/setting-the-appropriate-security-defect-h > andling-expectations-in-development-and-qa.html > > > > > Regards, > - Robert A > WASC Co Founder/Moderator of The Web Security Mailing List > http://www.webappsec.org/ http://www.qasec.com/ > http://www.cgisecurity.com/ > > > On Thu, 15 Dec 2011, Lebeau Frederic wrote: > >> Hello, i'm looking for a tool to manage(keep trace, history, status) >> all security issues found during dynamic testing or code review activities. >> Does someone can help me? >> >> Thanks >> > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse > c.org -- Taras http://oxdef.info ---- "Software is like sex: it's better when it's free." - Linus Torvalds _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org