The AppSec How-to: Visualizing and Effectively Remediating Your Vulnerabilities

The biggest challenge with Source Code Analysis (SCA) tools is how to effectively prioritize and fix the numerous findings. Developers are quickly overwhelmed while trying to analyze security reports containing results that are presented independently from one another. Take for example, WebGoat – OWASP’s deliberately insecure Web application used as a test-bed for security training – has more than 100 Cross-Site Scripting (XSS) flaws. Assuming that each vulnerability takes 30 minutes to fix and another 30 minutes to validate, we’re looking at nearly three weeks of work. This turnaround is certainly too long, costly and even impractical for large projects with many KLOCs or for environments with quick development cycles such as Agile/DevOps. With such a large amount of vulnerabilities, it should come as no surprise that vulnerable and unfixed code is often released. In this article, we show how visual insights into the vulnerability from origin to impact can help developers picture the security state of their code, view the effect of fixing vulnerabilities in different locations and automatically narrow down results from extra-large code bases to manageable amounts.