It’s a natural reaction. You receive a security test report only to find that there are security issues with your system. You immediately start plotting ways to cover them up, smooth them over, and remove them from record. Stop!
Every security consultant has experienced this reaction and every security consultant worth a damn has told their client that it’s okay. Just like functional bugs, security issues are a fact, a certainty of complex software, and the best way to deal with them is out in the open.
It’s not your fault
As the person responsible for a system, whether management, operations, development or testing, it’s easy to be defensive and shift blame. The reality is it’s almost never important whose fault a security issue is, and even when it is, it’s unlikely to be your fault alone. And even then, it’s just not productive. Continue reading