When it comes to solving Web application Security problems there are plenty of vulnerability assessment tools that have become commonly used by IT security teams. Of course, every team wants to automate the process as much as possible to avoid the repetitive and mundane tasks that are normally required to overcome vulnerability problems. Once, mistakes have been identified it is almost an automatic reaction to rely upon patch management, hardening of systems databases and configurations.

One problem that commonly occurs is when an organisation is left with many different applications and tools to maintain and monitor their web vulnerabilities. Things like scanners are used to locate bugs within networks and software solutions are often used as well.

When you include penetration testing results, you can be left with a mountain of data to deal with which can actually compound the problem.

Eventually the issue becomes managing the data as much as it does finding remedial solutions. It is also common to find that false positives and overlapping data results can cloud the issues at hand.

That's why this important to look at 6 basic requirements to avoid the problems arising in the first place.

• Normalising schema. When setting up the vulnerability management system it is important to describe data in the same manner across networks and applications as well as databases so that there is little room for misunderstanding what might otherwise be caused by the overlapping of data.
• Keeping things simple. Once you have set standards make sure you stick to it and don't try to complicate matters by reinventing the wheel every time. Simplicity rules but consistency also has its place.
• Map the data and connect the dots. Without being over simplistic, what you have to do is make sure all the data is connected before you can solve the problem. At the end of the day there is no point having huge amounts of data which has not been used or analysed. Make sure all the data is collated and summarised.
• Define the metrics. When you set up your program you probably added a definition of metrics so it's important to maintain the same definitions.
• Make reports useful. There's no point over analysing data which can add to the confusion. Make sure the reporting language is simple to understand so that management is in a position to expedite appropriate action.
• Management has its role to play by ensuring a clear definition of corporate direction and allocation of resources. This means that there must be a commitment to managing vulnerability issues from the outset and backing it up with action whenever it is required.

From a corporate perspective, it is clear that there needs to be consensus from all elements of the organisation and that the vulnerability management program is designed with input from all departments, especially IT. This is the only way to ensure that there is consistency regarding the data stored on servers and will also ensure that auditors perspective will be consistent as well. Penetration testing results can then be interpreted in a consistent manner.