This is almost entirely dependent on an organization’s staff availability and the severity and scope of the vulnerabilities identified. Depending on the organization, remediation efforts can take anywhere from one to two months to over a year.
Denim Group typically recommends a phased, risk-based approach to remediation where serious vulnerabilities that are comparatively easy to remediate are addressed first – possibly in an out-of-cycle release. Remediation for further vulnerabilities can be handled in subsequent releases, as resources are available to address them. Because of the many factors, estimating remediation time prior to commencing testing is very challenging to do with any degree of specificity.
Network infrastructure and host vulnerabilities will have to be addressed by the appropriate personnel, and any changes will presumably have to be run through an organization’s change management procedures.
It should also be noted that the development and testing efforts to address application vulnerabilities typically require the time and attention of developers who are often otherwise engaged developing new features for the applications and otherwise executing on applications’ planned roadmaps.
Time to Fix Application Vulnerabilities
Application vulnerabilities can be much more complicated to remediate because they typically require a software development effort to address. In addition, because vulnerabilities are usually first identified via penetration testing rather than source code review, an organization’s personnel usually must identify the actual location of the vulnerabilities in source code.
Fixing Technical Vulnerabilities (such as XSS and SQL injection)
Simple technical application vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection are, individually, very predictable to remediate and usually only require changing a small number of lines of code. These code changes must then be run through an organization’s quality assurance and release management processes.
Fixing Logical Vulnerabilities (such as authorization issues or abuse of functionality issues)
In addition, logical vulnerabilities such as authorization issues or abuse of functionality issues can take days or weeks to remediate because they may require design changes to the application. These design changes must then be coded and run through the aforementioned quality assurance and release processes.
Fixing Architectural Issues
Architectural issues with things such as authentication can require even more extensive remediation and organizational change management efforts.