Five Fun Things To Do With a PDF Application Assessment Report




There are all sorts of fun things you can do with a PDF assessment report. For example:

1.    Email it to a developer with a note saying “fix these vulnerabilities” so they can ignore it

2.    Print it out and put Post-It notes on the pages with the vulnerabilities you want fixed. Then hand it to a developer so they can ignore it (you get bonus points for futility if you color-print the report because the only color in the entire document is the pie chart on the first page – and maybe some screenshots of possible exploits that aren’t going to be used to fix the issues)

3.    Put it on a shared drive (or even SharePoint!) so everyone can ignore it.

4.    Send it up the chain to “management” so they can be confused by it. And then ignore it.

5.    Desperately hope your auditors don’t find it

One of the things we’re trying to do with ThreadFix is make it so that any organization who is testing applications has a centralized place to collect, track and report on their testing data. Check out some of the things we’re doing to turn vulnerabilities into software defects for some examples of what we think needs to happen next. As an industry, we need to move beyond “dead” PDF reports that reflect a point-in-time analysis for a single application and start treating the results of testing as data to be analyzed, transformed and, ultimately, used to manage risk and speed the fixing of vulnerabilities.

Contact us for help managing your application vulnerability data.


dan _at_


Posted via email from Denim Group’s Posterous

About John Dickson

John Dickson web resolution

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd, the parent company of ThreadFix. He has more than 20 years' hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.