Brian Myers, WebMD Health Services
You’re part of a small development team building a web application, and now someone tells you your product must be secure. Maybe the requirement comes from an auditor, or maybe from a prospect. No one on your team was hired for security expertise. What should you do? How can you make meaningful progress with minimal knowledge? Where should you start?
You could hire experts, get training, identify risks and threats, prioritize your findings, design solutions, and implement them. That is the right way to go, but it makes for a slow start with a lot of heavy lifting up front. For people who don’t have that option I propose a much easier way to get quick results and long-term improvements with minimal initial investment: just incorporate a vulnerability scanner–there are some good free ones–into your software development processes.
This paper explains how to set up a simple vulnerability management program that will give you immediate results, make your application more secure, improve your secure development lifecycle, help your team develop expertise relevant to their project, and meet some likely compliance requirements.
Along the way, I’ll provide tips for choosing a vulnerability scanner that suits you. I’ll show you how to understand what the scanner finds. I’ll explain a simple process you can follow to turn your scan activity into a vulnerability management program. And I’ll point out resources to help with questions you’ll have along the way.
Key takeaways include:
- You can start a team’s security program quickly by beginning with vulnerability management
- To pick the right vulnerability scanner you need to understand the different kinds of scanners and their features
- The internet offers many online resources to answer questions you may have about scanner findings
- Beginning with vulnerability management is a great way to start your team down the road of learning application security concepts
Brian Myers, 2019 Technical Presentation, Paper, Slides