Penetration testing efforts − however thorough they may be − cannot always ensure an exhaustive discovery of every instance where a security control’s effectiveness is insufficient. Identifying a cross-site scripting vulnerability or risk in one area of an application may not definitely expose all instances of this vulnerability present in the application. This chapter illustrates the concept and utility of remediation.
Remediation is an act of offering an improvement to replace a mistake and set it right. Often the presence of vulnerability in one area may indicate weakness in process or development practices that could have replicated or enabled similar vulnerability in other locations. Therefore, while remediating, it is important for the tester to carefully investigate the tested entity or applications with ineffective security controls in mind.
Because of these reasons, the respective company should take steps to remediate any exploitable vulnerability within a reasonable period of time after the original penetration test. In fact, as soon as the company has completed these steps, the pen tester should perform a retest to validate the newly implemented controls which are capable to mitigate the original risk.
The remediation efforts extending for a longer period after the initial pen test possibly require performing a new testing engagement to ensure accurate results of the most current environment. This determination should be made after a risk analysis of how much change has occurred since the original testing was completed.
Moreover, in specific conditions, the flagged security problem may illustrate a basic flaw in respective environment or application. Therefore, the scope of a retest should consider whether any changes caused by remediation identified from the test are classified as significant. All changes should be retested; however, whether an entire system retest is necessary or not will be determined by the risk assessment of the changes.