10. Exercise: Remediation Plans

If I didn't have the information already, I would ask the assessor for detailed information as to where the vulnerability might be found. I would also, if I didn't already know what XSS was or how to fix it, look up the vulnerability to find as much detail as necessary for me to clearly explain the issue, why it is important to fix, where to find the issue, and how to fix it (in general terms). I would then ask the associated stakeholders if 15 days is enough time to fix the issue as recommended or if it is technically feasible. If for any reason the recommended remediation cannot be applied within 15 days I would ask the stakeholders to provide details on either a) when the remediation might be applied or b) a proposed mitigating control. Once agreed, I would work with the stakeholders to develop milestones and schedule check-in meetings to ensure everything stays on track.