I saw this great conversation on Twitter started by Rob Fuller (@mubix): “What if: All pen-test reports were required to become public record after 6 months?”
My thoughts on the subject:
1. I remember the saying “He who has nothing to hide hides nothing”. If you fixed them then who cares???? I like the idea – what better way to get the company to close the vulnerabilities.
2. If done, I think the timeframe would have to be expanded – yes, it make take more than 6mths to fix a broken process/app. Without diving down the rabbit hole and trying to pick a time (I am sure there are pros and cons to anytime frame you may choose) I am sure the community (or regulatory body if this becomes a future regulatory requirement) could establish a time frame that would work.
3. It would definitely weed out the “script companies”. There are some arguments within the conversation that state it would mean companies would hire poor testers just so they get a green light. I don’t share that. I think the poor testers wil be identified and weeded out. There would be a stigma associated with the poor testers and any association with them would have negative ramifications.
4. I think only the categories and rankings should be published. For example: A high rated XSS vulnerability was found on http://www.example.com/login Why just a summary? – It’s possible that even the good testers miss items and I wouldn’t want to give would be attackers an easier avenue in (make them earn it).
5. Perhaps a way to get this kind of process started is to have the Internal Audit team audit the finding/remediation process (and ensure they have the capability to do so).
Just some thoughts…