Hello, i'm looking for a tool to manage(keep trace, history, status) all
security issues found during dynamic testing or code review activities.
Does someone can help me?
Thanks
I've seen some of our larger clients use Rsam --
http://www.rsam.com/products_appasses.htm. From what I've seen, it does
everything you want, but I don't know the cost of this product. It may or
may not be prohibitive.
-Dave
On Thu, Dec 15, 2011 at 4:44 PM, Lebeau Frederic <frederic.lebeau@websurf.be
wrote:
Hello, i'm looking for a tool to manage(keep trace, history, status) all
security issues found during dynamic testing or code review activities.
Does someone can help me?
Thanks
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
You could also try any software issue tracking system, such as one of those listed here:
http://en.m.wikipedia.org/wiki/Comparison_of_issue-tracking_systems
On 16 Dec 2011, at 00:44, Lebeau Frederic frederic.lebeau@websurf.be wrote:
Hello, i'm looking for a tool to manage(keep trace, history, status) all security issues found during dynamic testing or code review activities.
Does someone can help me?
Thanks
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Your question is perhaps a bit unclear.
Are you looking for a formal issue/bug tracking system (.e.g: Trac)
or a system for ingesting log files ?
If if it the latter maybe something like Splunk (paid and free) may fit:
http://en.wikipedia.org/wiki/Splunk
Randy
At 6:04 PM +0200 12/16/11, Stephen De Vries wrote:
You could also try any software issue tracking system, such as one
of those listed here:
http://en.m.wikipedia.org/wiki/Comparison_of_issue-tracking_systems
On 16 Dec 2011, at 00:44, Lebeau Frederic frederic.lebeau@websurf.be wrote:
Hello, i'm looking for a tool to manage(keep trace, history,
status) all security issues found during dynamic testing or code
review activities.
Does someone can help me?
Thanks
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hello Lebeau,
For software security related problems I find it best to utilize the bug
tracking system used by development. By using the existing system you
don't need people to learn/maintain another tool, not to mention it shows
up in the developers todo list during triage just like any other bug.
I've written a few articles on this subject, the first outlines specific modifications that you
can implement in your bugtracking system in order to better track/measure software security defects
Tracking and understanding security related defects: Useful data points for shaping your SDLC program
http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html
The second article outlines prioritization/handling of these security defects once they've been filed.
Setting the appropriate security defect handling expectations in development and QA
http://www.qasec.com/2009/06/setting-the-appropriate-security-defect-handling-expectations-in-development-and-qa.html
Regards,
On Thu, 15 Dec 2011, Lebeau Frederic wrote:
Hello, i'm looking for a tool to manage(keep trace, history, status) all
security issues found during dynamic testing or code review activities.
Does someone can help me?
Thanks
A good bug management system with proper authentication and authorization management system shall suffice.
You can take a look @ Bugzilla. However, most of traditional systems are not equip to carry all data that you may ant to put as security-bug. So you might want to either change some of these open source systems to add some fields or write down your own.
Also, multiple copies of pentest report also helps sometime.(Restricted access under your subversion system)
From: Lebeau Frederic frederic.lebeau@websurf.be
To: "websecurity@webappsec.org" websecurity@webappsec.org
Sent: Friday, December 16, 2011 4:14 AM
Subject: [WEB SECURITY] security findings management
Hello, i'm looking for a tool to manage(keep trace, history, status) all security issues found during dynamic testing or code review activities.
Does someone can help me?
Thanks
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
For software security related problems I find it best to utilize the bug
tracking system used by development. By using the existing system you
don't need people to learn/maintain another tool, not to mention it
shows up in the developers todo list during triage just like any other bug.
Totally agree! We also use single bug tracking system with developers to
report and track security related bugs. Because security bug in the
application from the developers point of view is also the bug. So using
existing bug tracking solution is right decision. The advice is
to mark such bugs with special tag, e.g. "Security flaw". It is useful
to easily sort out security bugs.
I've written a few articles on this subject, the first outlines specific
modifications that you
can implement in your bugtracking system in order to better
track/measure software security defects
Tracking and understanding security related defects: Useful data points
for shaping your SDLC program
http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html
The second article outlines prioritization/handling of these security
defects once they've been filed.
Setting the appropriate security defect handling expectations in
development and QA
http://www.qasec.com/2009/06/setting-the-appropriate-security-defect-handling-expectations-in-development-and-qa.html
Regards,
On Thu, 15 Dec 2011, Lebeau Frederic wrote:
Hello, i'm looking for a tool to manage(keep trace, history, status) all
security issues found during dynamic testing or code review activities.
Does someone can help me?
Thanks
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
"Software is like sex: it's better when it's free." - Linus Torvalds
I second that, several clients of ours are using the bug tracking system of
the development.
I can recommend the use of Jira which for a limited number of users is free
(around 10$ per year for corporate license and they donate it! ) and it also
helps track down the development process so actually integrating with SDLC
is rather straightforward (as straightforward goes with these processes ;-))
Kind Regards,
Boaz Shunami
Do great things while they are yet small, hard things while they are yet
easy
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Taras
Sent: Tuesday, December 20, 2011 9:21 PM
To: Robert A.
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] security findings management
For software security related problems I find it best to utilize the
bug tracking system used by development. By using the existing system
you don't need people to learn/maintain another tool, not to mention
it shows up in the developers todo list during triage just like any other
bug.
Totally agree! We also use single bug tracking system with developers to
report and track security related bugs. Because security bug in the
application from the developers point of view is also the bug. So using
existing bug tracking solution is right decision. The advice is to mark such
bugs with special tag, e.g. "Security flaw". It is useful to easily sort out
security bugs.
I've written a few articles on this subject, the first outlines
specific modifications that you can implement in your bugtracking
system in order to better track/measure software security defects
Tracking and understanding security related defects: Useful data
points for shaping your SDLC program
http://www.qasec.com/2011/01/tips-for-tracking-security-related-defect
s-in-your-bugtracker.html
The second article outlines prioritization/handling of these security
defects once they've been filed.
Setting the appropriate security defect handling expectations in
development and QA
http://www.qasec.com/2009/06/setting-the-appropriate-security-defect-h
andling-expectations-in-development-and-qa.html
Regards,
On Thu, 15 Dec 2011, Lebeau Frederic wrote:
Hello, i'm looking for a tool to manage(keep trace, history, status)
all security issues found during dynamic testing or code review
activities.
Does someone can help me?
Thanks
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
c.org
"Software is like sex: it's better when it's free." - Linus Torvalds
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org