I've spoken to a couple of people off-line about this post, and I'm glad for the positive feedback I've gotten, but the questions are sometimes more valuable to me. A friend asked about this statement:
I've had this same rant over and over and over. And believe me - my primary goal in documenting findings is documenting them in such a way that the individual problems get fixed. But management makes decisions based on metrics. Managers deal with many, many, many facets of production, so they need things abstracted. They could really care less about how many reflected XSS flaws there are versus persisted - they want to know how much money they're gonna lose if they don't fix it, and how much money it's gonna cost them to fix it.One thing I didn't make very clear there - management in making their decisions based on money is not misguided. There are regulatory issues now that make fixing some flaws critical, but managers have an obligation to their customers and to their stockholders. If the risk vs. reward scenario doesn't work out right, a mitigating control oughtn't be implemented. I just wish there weren't unfortunate real people on the other end of that flaw - actual victims of the attacks.
Point well taken, friend. You know who you are.