Ship (A5): SDL Activities and Best Practices 203
scan is actually an assessment, and as such will look for known vulner-
abilities in the software and associated systems. It is automated, it can
typically be run by a technician, and it will report potential exposures.
Having your own development staff conduct the vulnerability scans will
help them not only build up a baseline of what is normal for software
security but also to understand it. In contrast, a penetration test actually
exploits weaknesses in the architecture of your systems and requires vari-
ous levels of expertise within your scope of the software and associated
systems you are testing. Such testing is typically conducted by a seasoned
software security professional such as a software security architect or sea-
soned software security engineer.
Vulnerability scanning is a necessary part of software security and the
SDL. Given its automated nature and ease of performance, it should be
run at various times through the SDL as a cost-effective, efficient, and
minimally intrusive way to continually check your work. The results
should be continually baselined to identify code or architectural changes
that may have introduced new vulnerabilities during the process.
Although every effort must be taken to remediate all discovered vul-
nerabilities, there are some cases where the scanner may falsely identify
vulnerability or exceptions are made. False positives are vulnerabilities
where the scanner has identified the software as being vulnerable when, in
fact, it is not. Of course, once this is proven, the false positive can be dis-
counted. Exceptions are made because the remediation will prevent opti-
mal software performance, restrict a critical function in the product, or
even require a complete architecture redesign. The risk is deemed accept-
able because compensating controls are in place or can be put in place
with minimal effort to mitigate the risk. Exceptions may be permanent or
they may have an expiration date attached. The typical vulnerability scan
process is diagramed in Figure 7.2.
Static or dynamic source code vulnerability scanner tools, as discussed
earlier in this book, can be used during this phase as appropriate. If the
software is a Web application, you must use tools designed specifically
for Web application vulnerability analysis. One mistake that should be
avoided if you are using a Web application vulnerability scanner is not to
scan for just the OWASP “Top 10” vulnerabilities, but rather scan for all
software application vulnerabilities. As with static or other dynamic vul-
nerability scanners, if critical, high, or severe application vulnerabilities
are identified by scanning, those vulnerabilities must be fixed before the