You could always offer fixing the exploits and vulnerabilities. That would
truly be a great success factor they would love. You could indeed generate a
full report of all events that took place with custom comments to IT
staff/administrators in pointing out problems, suggestions, and common
feedback. Also, you might want to expand your findings with the additional
testing of odd behaviors or functionalities by testing for SSL and changing
HTTPS protocols to boost your results and raise the customers confidence, and
of course security. Also, you should if you have not already, test for logical
flaws, which have to be done manually and explained throughly, and can be quite
effective, and is almost exactly what the customers want to hear, because of
the non-technical terms involved to demonstrate or explain the attack(s). You
should also explain that every bit of exploit or vulnerability is important.
Don't let them justify that XSS isn't serious, (which most company's do). Expl
ain to them that every bit of information assembled is indeed quality for an
attacker. Also, you should speak with the CTO or the IT Staff so that they can
better understand your concerns, as most business owners, just don't because
of the lack of security information and what is normally embedded.
-Yousif Yalda
-Security Consultant
-Http://Vapt-Sec.Com
-Http://YousifYalda.BlogSpot.Com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
