Five Fun Things To Do With a PDF Application Assessment Report




There are all sorts of fun things you can do with a PDF assessment report. For example:

1.    Email it to a developer with a note saying “fix these vulnerabilities” so they can ignore it

2.    Print it out and put Post-It notes on the pages with the vulnerabilities you want fixed. Then hand it to a developer so they can ignore it (you get bonus points for futility if you color-print the report because the only color in the entire document is the pie chart on the first page – and maybe some screenshots of possible exploits that aren’t going to be used to fix the issues)

3.    Put it on a shared drive (or even SharePoint!) so everyone can ignore it.

4.    Send it up the chain to “management” so they can be confused by it. And then ignore it.

5.    Desperately hope your auditors don’t find it

One of the things we’re trying to do with ThreadFix is make it so that any organization who is testing applications has a centralized place to collect, track and report on their testing data. Check out some of the things we’re doing to turn vulnerabilities into software defects for some examples of what we think needs to happen next. As an industry, we need to move beyond “dead” PDF reports that reflect a point-in-time analysis for a single application and start treating the results of testing as data to be analyzed, transformed and, ultimately, used to manage risk and speed the fixing of vulnerabilities.

Contact us for help managing your application vulnerability data.


dan _at_


Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.