End-to-end Web Application Security Testing and Vulnerability Remediation Workflow

In this post I want to show you how easy it is to create an end-to-end web application security testing and vulnerability remediation workflow.

We start by visiting the Suite and launching the Scanner. After the target is selected and the test approved, a scan should be on its way as illustrated by the screenshot bellow.

Next, we export the results into a report. In the Suite you can select several export formats: CSV, XML, JSON and HTML. The first 3 are designed to be suitable in situations where you want to programatically process the results. The last one, the HTML report, provides a user-friendly way to print, incorporate into custom reports or just share the results between colleagues.

The HTML report is also special because bellow each reported issue you get two useful links: Retest and Resend. You can use these links to verify if the issue has been fixed without executing another complete scan. If you are a developer and you have just received the report from your security team, you are not only getting just an HTML file with some text but also the complete set of tests used to verify if the issue is still present, which is incredibly useful during the vulnerability remediation stage.

Clicking on the Retest link will spawn the Retest tool. As you can see from the screenshot, all information is already populated in order to make the whole process as simple as possible. All you have to do is to re-run the test and interpret the results.

You can repeat this cycle as many times as you need. You can also re-export the results from the Retest tool if you want to keep them in your log of common security issues. This may come handy if you want to track patterns of common programming mistakes across all your applications or to use it as a prove that the reported issue has been indeed rectified.

And just like that we have created a solid web application security testing and vulnerability remediation workflow that is simple to follow. Keep in mind that you did not have to install anything, deal with any complex processes or even use proprietary technologies. Everything just works out of the box.