Application Security

The use of Playbooks in Vulnerability management

When we talk to customers about maintaining or even setting a standard for both testing and requirements setting, for example, we inevitably have the impression that we are talking about something new and difficult.

After a while we realize that it is really something a little harder to implement when the company has multiple teams, many developers and a structure that works independently.

Vulnerability Management Playbooks

Keeping large teams working with the same goals, and keeping a pattern within a process that often allows the developer some freedom is not easy.

In our consultancies, implementing a secure development process or even while testing and retesting some code, our customers’  inevitable question:

“How do you guarantee that all of your analysts will perform the tests in the same steps?”

What are the problems

But before we talk about how we solve this quality assurance issue, we want to talk a little bit about what this lack of security controls can bring to businesses.

When a company cannot create mechanisms that can ensure that its teams follow and maintain a certain degree of standardization in their activities, it is very difficult to guarantee that all services performed will follow the same principle or even sequence.

Let’s imagine the following situation, an analyst is assigned to perform a test on a new part of a code, as good practices dictate this analyst must be different from the analysts who participate in the development.

During the code validation process, the slightly more experienced analyst performs a series of tests and reaches the final result that is presented to the team through a report.

At the end of the patches, the development team informs the test teams that they can already proceed with the validation of the patches by performing a test again. But in this case the test needs to ensure that the corrections were well made.

This time another analyst will perform the tests, and this one may be a little less experienced than the previous one.

Imagine also that by switching analysts on a test can also lose context and much information about the test.

This may also lead the analyst conducting the test to leave some important points.

How to ensure the quality on code review?

What always comes up as the question is “How to guarantee the quality and the execution of tests even being done by different professionals?”.

By not being able to guarantee this sequence of activities and even the fulfillment of basic activities, the company puts itself at risk, allowing errors and forgetfulness to be present in its results.

This is very common, and can bring a totally unnecessary risk inside the company that can be easily resolved with the help of AppSec Flow.

How to find a Solution

Remember the question asked by our client?

“How do you guarantee that all of your analysts will perform the tests in the same steps?”

This question is normal and for us the answer is quite natural.

In all our services we use our AppSec Flow platform which has one of its features focused on ensuring that tests and services are performed following a previously planned process.

The playbook functionality allows us to create an action plan based on tasks that must be accomplished.

These tasks can in some cases be placed as mandatory for closing a project, which gives the manager full control over execution.

By following this playbook, the user is led by a scenario previously planned and thought within the best practices. The creation of the playbooks can be done by both the CONVISO team and the client team, who can create their own methodologies.

Focus on the results

Performing tasks based on the created playbooks visually help the manager and the entire team maintain a pattern of activity that does not allow for error margins.

AppSec Flow is designed to deliver a set of features to the user that lets them forget about the heaviest planning tasks and focus on what really matters the outcome.

With AppSec Flow, the company has complete control over the creation of new methodologies that enable its analysts to achieve a safer standardization result.

It is a complete platform that gives its users complete control over the security of their codes and assists in integration with various other tools.

Our business area will be delighted to introduce you to all the features of AppSec Flow.

New call-to-action

About author

Articles

Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Which topics should an AppSec Training Contemplate?

The development market seems to be becoming more and more aware of the need for Application Security…
Read more
Application Security

Webinar - What changes for AppSec Flow with the union of forces between Conviso and N-Stalker

Last September, Conviso and N-Stalker announced that the two companies would now join forces and…
Read more
Application Security

Conviso and N-Stalker join forces in application security

Conviso Application Security, a pioneer in application security in Brazil, and N-Stalker, a company…
Read more

Deixe um comentário