Methodology
摘要
Flaw mitigation and vulnerability remediation in a standard SSDLC process is always time consuming with immense volume of effort spend by appsec analyst in collating policy failing alerts context from source code, triaging with developers, understanding the nature of the alerts, analyze False Positives, performing POC to substantiate the depth of exploitibility, prepare reports and finally once the source code is updated to fix the issue—run the scans and re-validate the fix. This is not only time intensive but costly also in terms of appsec analyst head count and hours needed to operationalize and support the developers. This is why many organizations have specific policy setup for common vulnerabilities that requires additional appsec analyst to review while majority of the alerts related to other vulnerability is managed by developers or in some case the entire alerts are triaged by developers.