Bugzilla provides extensive, detailed documentation of the level of known vulnerability of any application's code. The problem that this raises for your CISO is that, because there are always a lot of bugs in any product, the reports coming out of Bugzilla are far too extensive and technical for any of the business managers to understand. So they want you to use Bugzilla to answer a simple question clearly: "How insecure are we?"
To begin your assignment:
•Go to Bugzilla and search for "insecure."
•Sort your results by "severity" (by selecting the heading labeled "Sev"). Be sure to take a screenshot of your sorted results.
•Choose two items on the list that have a severity ranking of "blocker," "critical," or "major." Then examine their details by selecting the ID number next to each item. Try to understand the mechanics of each vulnerability (e.g., what causes the vulnerability and how does the vulnerability represent a risk at the program level?)
Then, answer the following questions in a 2- to 3-page paper:
•In lay terms, briefly describe the two vulnerabilities you have selected. Include in your description what causes the vulnerabilities and how they represent a risk at the program level?
•Explain to the managers what types of tests and reviews should be deployed in order to determine the company's exact status on each item. For example, if cross-site scripting is one of your chosen issues, how do you propose to detect cross-site scripting problems? What are some sample testing or review approaches you might employ to determine whether the company is vulnerable to such an issue?
•Assume that the CISO has told you that the company only has resources to correct one of these vulnerabilities. What specific testing and/or review approach would you suggest in order to determine which one to correct? Provide a practical business justification for your proposal that examines the assumed resource commitment for the testing versus any known effect of each vulnerability.
Be sure to include the screenshot of your sorted results as an appendix to your paper.