To Validate or Not, Is That the Question?

Recently, a project manager I work with asked me if I had manually validated a set of security flaws I uncovered during a web security assessment. The flaws in question were related to the server host and not the actual Web application. I actually had not manually validated every single finding in that regard. I paused to think about it and understood why he asked. The scope of the assessment stated we’d use automated tools and perform manual analysis of the hosts and applications we were testing. During discussions with the client it became clear to him that I had not manually validated every single flaw – hence his question.
Let me explain why I didn’t validate everything. When you’re testing IP-based hosts, you often don’t need to manually validate every single finding – only occasionally. However, with Web applications, you need to validate just about everything to ensure you’re not documenting problems and solutions for issues that don’t even exist. I told the project manager that for an SSL certification flaw I uncovered, the scanner is providing the same information I’d be able (continue reading...)