Developing a remediation plan

A remediation plan defines a structured approach that your teams can use to prioritize and resolve security findings that Veracode scans found in your applications. This approach helps your teams efficiently improve the security posture of your applications. When development teams begin to perform application security testing, they might be overwhelmed by the number of discovered findings. Teams are often under pressure address findings quickly, but they might not know where or how to begin. A well-defined remediation plan can provide structure to this process. This section outlines key considerations that your teams can use a guide when developing a remediation plan.

This section applies to findings discovered by the following Veracode products:

Veracode Container Security
Veracode Dynamic Analysis Security Testing (DAST)
Veracode Penetration Testing as a Service (PTaaS)
Veracode Software Composition Analysis (SCA)
Veracode Static Application Security Testing (SAST)

Dynamic and Static findings are called flaws, while other methods refer to them as vulnerabilities. In general, if the analysis method is not specified, Veracode refers to all flaws and vulnerabilities as findings.

Prerequisites

Before you create a remediation plan, complete the following steps:

1. Review and ensure the policy is achievable

You must assign a policy to all application profiles in the Veracode Platform. The Veracode administrator, the security team, and the development team must confirm that the assigned policy is realistic and achievable. Setting overly ambitious goals for a newly onboarded team can result in frustration and missed targets.

2. Ensure your team is set up for success

To provide your teams with access to scan results and continuous security training, which will as they improve their remediation efforts, ensure all developers have Veracode Platform accounts and are enrolled in Veracode eLearning or Veracode Security Labs, as appropriate.

Key components of a remediation plan

A successful remediation plan includes the following components:

A prioritized list of findings to address.
An estimate of the level of effort required for each finding or group of findings.
A timeline for remediation.

1. Prioritize findings

In some cases, the number of security findings may be manageable, allowing you to review all of them. However, when dealing with hundreds or thousands of findings, prioritization becomes essential. Several strategies can help guide this process:

a. Use Veracode Risk Manager

Veracode Risk Manager can assist in identifying and prioritizing the most critical findings, helping you focus on high-impact areas for remediation.

b. Focus on policy-affecting flaws

Start by addressing flaws that impact your application's compliance with the assigned policy. To ensure you're focusing on policy-related vulnerabilities, in the Veracode Platform, on the Triage Flaws page, filter flaws by setting Fix for Policy to Required.

c. Filter by severity

For all flaws Veracode publishes a Severity from Very High / CRITICAL to Informational / UNKNOWN. Higher severity flaws are likely to have a higher impact on your business and Veracode recommends addressing these flaws first. To learn more about these metrics, see About severity, exploitability, and effort to fix and review Container Security findings.

d. Leverage exploitability and effort (SAST)

For SAST results, the Veracode Platform Triage Flaws page allows filtering by additional metrics. To learn more about these metrics, see About severity, exploitability, and effort to fix.

The Fix First Analyzer provides a visual representation of which flaws should be addressed first to improve overall security. The tool highlights flaws based on severity and ease of remediation. On the Triage Flaws page, select Fix First Analyzer in the top-right corner for a detailed analysis.

To prioritize the most critical flaws, start by selecting the orange circles in the upper-right quadrant of the analyzer. You can further filter flaws by exploitability, prioritizing those that are most likely to be exploited. Look for the information icon next to the exploitability rating for more details.

e. Address flaws in common modules (SAST)

If your application reuses code modules across various components, or modules are reused in other applications, vulnerabilities in these common modules can have a broader impact. Flaws in shared code should be prioritized based on their potential impact on the entire organization.

f. Leverage automation (SAST,SCA)

For Software Composition Analysis results you might consider employing the agent update advisor which recommends safer versions of libraries and indicates if an update could potentially break a build.

To configure the update advisor, see the Configure the update advisor for Veracode SCA.

For Static Analysis results you can subscribe to Veracode Fix which can automate remediation for certain flaws. You can filter your results in the IDE to check for flaws that Veracode Fix can address.

2. Understand findings

Before remediation, ensure that your team thoroughly understands the security findings. Review the findings in the IDE (SAST, SCA), examine their context, and consider scheduling a consultation call to review your results with a Veracode Application Security Consultant to accelerate remediation.

3. Plan the work

You can use the Action Items from the Veracode Platform's Detailed Report to develop a timeline for remediation that aligns with your policy's grace periods.

Executing on the plan

When it's time to execute on the plan it's important to keep the following in mind.

1. Execute, rescan, and validate

Leverage Veracode Fix (SAST), the update advisor (SCA) and remediation guidance from Veracode Application Security Consultants to address findings. After remediation, rescan the application to validate the fixes and confirm that no new vulnerabilities have been introduced.

2. Report to stakeholders

After remediation is complete, ensure the analysis results are available to stakeholders. For PTaaS, DAST, SCA or SAST findings this typically means to perform a scan in the Policy area of the Veracode Platform or for SAST promote the scan from a Sandbox to the Policy area to verify compliance with your defined policy.

3. Continuous improvement

Security is an ongoing process. Make sure you use automation and that your team continues to scan regularly to identify and address new findings as they emerge.

Prerequisites​

1. Review and ensure the policy is achievable​

2. Ensure your team is set up for success​

Key components of a remediation plan​

1. Prioritize findings​

a. Use Veracode Risk Manager​

b. Focus on policy-affecting flaws​

c. Filter by severity​

d. Leverage exploitability and effort (SAST)​

e. Address flaws in common modules (SAST)​

f. Leverage automation (SAST,SCA)​

2. Understand findings​

3. Plan the work​

Executing on the plan​

1. Execute, rescan, and validate​

2. Report to stakeholders​

3. Continuous improvement​

Did you find this helpful?