Existing Knowledge Base and Patterns
Before we get much further, let's talk about the knowledge and resources I would start with. I know this may not be common in many organizations, but I would expect to have a specific set of secure architecture, configuration, and coding patterns that satisfy security requirements for my application, organization, data protection needs, and the threat actors targeting my application AND these patterns are tailored for the language and frameworks I'm using. These patterns may not be very complete or robust, but they are at least a starting point to be added upon in the future.
- Unit tests
- Automated tests using Capybara, Watir, or other similar frameworks
- QA test cases
- Automated static analysis rules
- Dynamic testing test cases
- Many more...
Security Assessment Expectations
After I receive an assessment report, what do I expect the assessor to provide to me (in addition to a report discussing the issue, risk rating, best practice, etc). First, I would expect a completed test case of some kind to reproduce the issue. This may require collaboration between the developers, QA testers, and the security tester, but I should receive automated (preferable) or manual test cases (detailed instructions for QA to follow for example, probably created by QA while walking through reproduction with the assessor) that I can run at any time to validate whether the vulnerability has been fixed successfully. These test cases may reflect the capabilities of the organization and the validation patterns that already exist.
Second, I would expect the assessor to help evaluate and update existing secure coding, configuration, architecture, and validation patterns to ensure a solution exists for future development.
Third, I would expect the assessor to provide a mini training session (may only be 10 minutes using a web based conferencing solution), explaining the vulnerability, and then support the development lead or architect in training the developers and QA testers in applying the new patterns.
Finally, I would expect the assessor to help link specific weaknesses in my application to techniques commonly used by the threat actors targeting my organization and application.