Results Triage - Finding a Rhythm
I just got done triaging the results of an AppScan website scan all the way through. I've done it before but never on a production run. It has always been partial triages before on training runs. After seven years of secure code review, I have triaged a lot of static analysis results from a variety of tools before and I've gotten quite good at it. I know once you get to know the tool and know how it spits out its results, which rules are almost always reliable, which are sometimes reliable and sometimes wrong, which are often wrong, you can work pretty quickly. Work some hard issues, switch to some easy ones for a break, back to hard ones. Adjust that based on the schedule if you need to focus on the most important stuff and do not have time to do it all. For source code scanning, I have gotten pretty good at it.
This was quite a bit different. The results of a dynamic, black box scan of a website are quite a bit different than a static analysis scan of source code where everything is laid out before you. It's automated pen testing followed by verification still against that black box. As I've said before my pen testing skills are rusty from disuse and it has been a few years since I have evaluated a web application outside of training sessions. Like the pen testing, it's a bit rusty. No well-established rhythm in my triaging muscle memory.
We have a technical oversight/sanity check person working with us which is really nice in general to provide fresh eyes on things like this but it is really nice when you are in a new job in a new company. You are good at the way you do things but not necessarily the way the new company does things so having somebody around that is good at the company way is nice. Since this first time through with the new guys I made sure to ask questions and made sure I wasn't wandering off down the rabbit hole. I was shocked at how quickly these experienced folks said they could triage things on these web scans. As I looked at the results before me I thought there was no way I could get close to that speed.
And I didn't.
But between the triaging cheat sheets with experience here where the rules are good, here's where they are prone to false positive guidance and diving in I started to find that rhythm. Figure out the tool's display, and what to look at to verify the finding or dismiss it. Find the pieces to replicate the results manually. Get to know the HTML in front of you and set the search feature right you can progress through false positive weeding out fast in some cases like when a custom error page is mistaken for a result. I didn't come close to the speed the old pros can do but I can see how they do it as I find that rhythm and scrape the rust off the lesser-used skills.