This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
File:VulnerabilityManagementInAnApplicaitonSecurityWorld OWASPMSP 20090316.pdf
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
Dan Cornell, a Principal of Denim Group, detailed in his presentation delivered in Minneapolis, Minnesota on March 16, 2009 at the regular OWASP Minneapolis-St. Paul chapter meeting many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams' practice of vulnerability management and development teams' practice of defect management will be addressed in order to facilitate healthy communication between these groups.
File history
Click on a date/time to view the file as it appeared at that time.
Date/Time | Dimensions | User | Comment | |
---|---|---|---|---|
current | 02:23, 18 March 2009 | (215 KB) | Webappsecguy (talk | contribs) | Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastruct |
- You cannot overwrite this file.
File usage
There are no pages that link to this file.