Results And Reporting

Web security tools typically are able to output results in several reporting formats. The most common ones are Word Documents (.doc), Portable Documents (.pdf) and Comma Separated Values (.csv).

Some security tools are also able to export results into various other more programmer-friendly formats such as JSON and XML. These formats tend to be more comprehensive and allow the user to programmatically process the results and embed in their own reporting frameworks.

Security findings are delivered from the security testing to the development team. Issues are analyzed and fixes planned. Once implemented, these fixes are sent back for a re-test by the security testing team. The process may repeat several times until all issues are properly fixed.

This approach is not optimal and usually has a very slow turn-around. A better approach is to use automated testing as part of the process. For example, the developer not only receives all the information required to fix the issue but also a comprehensive automated testing suite for validation. The fixes can be still tested by the security team prior deployment, however the simple fact that an automated baseline is employed as part of the process reduces the amount of back-and-forth interaction between various teams.

This idea can be expanded even further. Instead of using reports, which are typical when employing external security consultancies to do the work, make sure that security defects are properly recorded in your bug tracker. Try to provide test cases to verify the issue so that developers can pick it up easily. Read this article for more information.