There are all sorts of fun things you can do with a PDF assessment report. For example:
1. Email it to a developer with a note saying “fix these vulnerabilities” so they can ignore it
2. Print it out and put Post-It notes on the pages with the vulnerabilities you want fixed. Then hand it to a developer so they can ignore it (you get bonus points for futility if you color-print the report because the only color in the entire document is the pie chart on the first page – and maybe some screenshots of possible exploits that aren’t going to be used to fix the issues)
3. Put it on a shared drive (or even SharePoint!) so everyone can ignore it.
4. Send it up the chain to “management” so they can be confused by it. And then ignore it.
5. Desperately hope your auditors don’t find it
One of the things we’re trying to do with ThreadFix is make it so that any organization who is testing applications has a centralized place to collect, track and report on their testing data. Check out some of the things we’re doing to turn vulnerabilities into software defects for some examples of what we think needs to happen next. As an industry, we need to move beyond “dead” PDF reports that reflect a point-in-time analysis for a single application and start treating the results of testing as data to be analyzed, transformed and, ultimately, used to manage risk and speed the fixing of vulnerabilities.
dan _at_ denimgroup.com