First the don’ts:
- Never submit a full vulnerability report to developers without reviewing it. Pair it down to most crucial true findings. Nothing kills appsec program credibility like having developers dig through a pile of false positives
- Don’t ignore the findings. If you don’t have resources to deal with the finding, label the findings as the baseline and make sure no new ones are introduced in addition to the baseline. Then chip away at the baseline as time permits.
- Educate your developers on application vulnerabilities. Show how they can be abused, what causes them and how to fix them. Don’t skip the last part - it is what really matters.
- Adjust and adopt to the way developers develop and deploy. They should decide what works for them, you should then find the tooling that plays nice in their pipeline.