[QA.ST.2] Normalize security testing findings
Category: FOUNDATIONAL
Effective vulnerability management requires clarity and consistency. Given the diversity of security testing tools in a DevOps environment, findings often emerge from different sources and in different formats. This diversity of tooling can introduce confusion and inefficiency into risk management processes. Having a common framework for normalizing the interpretation and ranking of vulnerabilities from diverse security testing tools provides a systematic approach to risk management and mitigation. Normalization is not just about consistency, it helps ensure that every identified vulnerability is understood, categorized, and managed according to its threat level.
Begin by selecting a recognized scoring system, such as the
Common Vulnerability Scoring System
(CVSS
Use tools that can automatically translate findings into the
standardized format. Integrations like the Static Analysis
Results Interchange Format
(SARIF
By adopting a systematic approach to normalization, organizations can verify that their response to vulnerabilities is consistent, effective, and aligned with the actual risks posed to the system. Ensure that everyone involved in the security process understands the chosen scoring system and knows how to interpret it. Regular workshops or training sessions can help ensure ongoing alignment.
Related information: