Prioritizing Findings

Overview

You've done application, network, and host scans and need to take all of the results, streamline them, understand the effort required to fix them, what should be done now, next, and later, and who is responsible.

At this stage the context gathered through vulnerability research and validation can be used to prioritize the findings across numerous vulnerability inputs. Once the false positives are gone and you have a clean list you must focus on, you can use the risk level information and context gathered in prior steps to group findings into remediation categories based on variables like:

• Severity level
• Budget
• Time and effort to remediate
• Cost benefit analysis
• Regulatory requirements

Note that before starting this process, it's important to remove any false positives where possible through vulnerability research and manual testing, or additional means. Prioritization efforts should focus on true positives.

General tips for prioritizing findings:

• Severity: The higher the severity level, the more urgent it may be to fix the issue. For example, “critical” severity issues generally should be prioritized before those rated at “high” severity.
• Cost benefit analysis: The cost to fix the vulnerability should not be more than the potential negative impact of the vulnerability exposure.
• Corporate considerations: Unique factors, such as regulatory compliance implications must be taken into account. For example, if failing to fix a vulnerability will lead the company to fail an audit or land in legal trouble the team may choose to prioritize fixing those findings.

Standardizing prioritization process:

Establishing a standard prioritization process can help make the remediation process clean and consistent. Through service level agreements, an organization can outline parameters regarding how to approach remediation. For example, a rule might be that any critical issues need to be fixed within 30 days of discovery, while low severity issues can wait 90 days.