Developing a remediation plan
A remediation plan defines a structured approach that your teams can use to prioritize and resolve security findings that Veracode scans found in your applications. This approach helps your teams efficiently improve the security posture of your applications.
When development teams begin to perform application security testing, they might be overwhelmed by the number of discovered findings. Teams are often under pressure to address findings quickly, but they might not know where or how to begin.
A well-defined remediation plan can provide structure to this process. This section outlines key considerations that your teams can use as a guide when developing a remediation plan.
This section applies to findings discovered by the following Veracode products:
- Veracode Container Security
- Veracode Dynamic Analysis Security Testing (DAST)
- Veracode Penetration Testing as a Service (PTaaS)
- Veracode Software Composition Analysis (SCA)
- Veracode Static Application Security Testing (SAST)
Findings from SAST are called flaws, and are located in application source code. Findings from DAST or SCA are called vulnerabilities, and are located in web applications, APIs, or open source libraries. In general, if the analysis method is not specified, Veracode refers to all flaws and vulnerabilities as findings.
Prerequisites
Before you create a remediation plan, complete the following steps:
1. Review and ensure the policy is achievable
You must assign a security policy to all application profiles in the Veracode Platform. The Veracode administrator, the security team, and the development team must confirm that the assigned policy is realistic and achievable. For example, if your policy sets overly ambitious goals for a newly onboarded team, this can result in frustration and negatively impact productivity.
2. Ensure your team is set up for success
To provide your teams with access to scan results and continuous security training, which will improve their remediation efforts, ensure all developers have Veracode Platform accounts and are enrolled in Veracode eLearning or Veracode Security Labs, as appropriate.
Key components of a remediation plan
A successful remediation plan includes the following components:
- A prioritized list of findings to address
- An estimate of the level of effort required for each finding or group of findings
1. Prioritize findings
In some cases, the number of security findings might be manageable, and you are able to review all of them. However, if you have hundreds or thousands of findings, it is essential that you prioritize the findings you need to address first. To help guide you through the process of prioritizing findings, use the following strategies:
a. Use Veracode Risk Manager
Veracode Risk Manager helps you identify and prioritize the most critical findings, which relate to high-impact areas that you want to remediate first.
b. Focus on policy-affecting findings
Address findings that prevent your application from being in compliance with the assigned policy.
For flaws available in the Veracode Platform you can focus on policy-related flaws on the Triage Flaws page. You can filter flaws by setting Fix for Policy to Required.
c. Filter by severity
For all findings, Veracode publishes a severity that ranges from Very High / CRITICAL to Informational / UNKNOWN. Higher severity findings are likely to have a higher impact on your business and Veracode recommends addressing these first.
If your teams use the Veracode IDE plugins or extensions, these integrations display both SAST flaws and SCA vulnerabilities that you can filter by severity. To learn more about these metrics, see About severity, exploitability, and effort to fix and Review Container Security findings.
d. Leverage exploitability and effort (SAST)
For SAST flaws, the Triage Flaws page in the Veracode Platform supports filtering by additional metrics. To learn more about these metrics, see About severity, exploitability, and effort to fix.
In the Veracode Platform, the Fix First Analyzer provides a visual representation of which flaws you should address first to improve overall security. Fix First Analyzer highlights flaws based on severity and ease of remediation. On the Triage Flaws page, select Fix First Analyzer in the top-right corner for a detailed analysis.
To prioritize the most critical flaws, select the orange circles in the upper-right quadrant of the analyzer. You can further filter flaws by exploitability and prioritize flaws that attackers are most likely to exploit. Look for the information icon next to the exploitability rating for more details.
e. Address flaws in common modules (SAST)
If your application reuses code modules across various components, or modules are reused in other applications, flaws in these common modules can have a broader impact as one may be used in many applications. Prioritize these flaws based on their potential impact on many applications in the entire organization.
f. Leverage automation (SAST,SCA)
For Software Composition Analysis (SCA) results, you might consider using the SCA agent update advisor, which recommends safer versions of libraries and indicates if an update could potentially break a build.
To configure the update advisor, see Configure the update advisor for Veracode SCA.
For SAST results, subscribe to Veracode Fix, which supports automated remediation of certain flaws. If your team uses the Veracode IDE plugins or extensions, filter your results in the IDE to check for flaws that Veracode Fix can address.
2. Understand findings
Before remediation, ensure that your team thoroughly understands the security findings. Consider using the following features to gain a deeper understanding of specific findings:
- Triage Flaws in the Veracode Platform (SAST, DAST)
- Veracode IDE plugins or extensions (SAST, SCA)
- Veracode Vulnerability Database (SCA)
To accelerate remediation, schedule a consultation call and review your results with a Veracode Application Security Consultant.
3. Plan the work
In the Veracode Platform, download a Detailed Report. In the report, use the Action Items to develop a timeline for remediation that aligns with the grace period for your policy.
Executing on the plan
When your team is ready to execute on the remediation plan, consider the following.
1. Execute, rescan, and validate
To address findings, take advantage of Veracode Fix for SAST flaws, the update advisor for SCA vulnerabilities, and remediation guidance from Veracode Application Security Consultants. After remediation, rebuild the application (if necessary), resolve any errors, and run the required tests, either manually or with automated processes, to ensure all functionality works correctly. Finally, rescan the application to validate the fixes and confirm that no new vulnerabilities have been introduced.
2. Report to stakeholders
After remediation is complete, ensure the results from all analyses are available to stakeholders:
- SAST and SCA Upload Scans results: run scans outside development sandboxes. If you run a scan in a development sandbox, promote the scan to a policy scan.
- SCA agent scans: always link the scanned project to an application profile.
- DAST scans: always link the results to an application profile.
- Container scans: download and share the results.
You can access the results in the Veracode Platform from reports and analytics.
3. Continuous improvement
Improving the security of your applications is an ongoing process. Ensure your teams use automations, such as the integrations, CLI, and APIs, and scan routinely to identify and address new findings as they emerge.