Remediation Guidance

“Patch the system” is not remediation guidance. Neither is “follow security best practices.” Remediation guidance that clients actually use is specific, prioritized, and actionable.

Sometimes you may not have enough context as to what happens on the other end of the application or system you test. In these instances, you will have to infer as much as you can, but make sure to work with the team to make the remediation fit the context of the application and the needs of the organization.

Three rules for strong remediation:

Be specific.

• “Change the password” ❌
• “Rotate the svc_sqladmin password to a 25+ character randomly generated string and implement Group Managed Service Accounts (gMSA) to prevent human-managed credentials.” ✅

Prioritize. If you list ten remediation items with no priority, the client will start with the easiest, not the most important. Explicitly rank by risk and mark what to do first.

Acknowledge trade-offs. Some remediations steps are easy. Some require downtime, application changes, or organizational buy-in such as turning on bucket versioning for critical resources, which will increase their cloud spend. Acknowledge the effort level so the client can plan.

Three remediation recommendations need improvement. Identify what’s wrong with each and select the stronger alternative.