DotSec has reviewed hundreds of web applications, sites and services over the past 16 years, and in all but a handful of cases, has been able to discover and help address significant vulnerabilities in the target of evaluation. The process of testing a website for vulnerabilities generally takes place prior to the website being made publicly accessible (whether it be a completely new website or an update of an existing one) but sometimes, the customer’s agenda does not leave much time between the completion of the assessment and the date for website go-live.
More often than not we find that insufficient time is allocated for testing the website, let alone fixing any vulnerabilities found prior to its launch. This leaves customers in the unfortunate position of having to choose between one of two options:
- Accept that the website has known vulnerabilities but launch on time to keep stakeholders happy.
- Push the launch date back, which usually upsets everyone except the infosec team, until the vulnerabilities have been resolved.
We do see Option 1 being exercised although not too often.
Option 2 is not really satisfactory either, since already-overworked developers and testers have to spend more long days fixing vulnerable code before once again being subjected to penetration testing (TRA) before finally launching, assuming the code fixes hadn’t introduced more bugs or vulnerabilities.
However, a third option, “Virtual Patching”, is now becoming more popular and we discuss this option in more detail in one of our blog posts; please click to read more!.