Remediation is the endeavor of taking the necessary steps to address and secure areas of weakness that have been identified within an organization. The term may seem confusing because it is often used to mean different things depending on context. In the information security industry, the term Remediation usually implies a permanent resolution or one that addresses the root cause of the problem. For example, deploying a code fix for a security issue in an application would be considered remediation. Introducing a new firewall rule might also address the risk of the issue, but this is often considered a Mitigation rather than a Remediation because it does not address the root cause (i.e. a code flaw). For simplicity, in penetration test reports, we refer to any issue for which risk has been addressed by any means as Remediated.
The goal in remediation efforts is to reduce one's attack surface based on actionable recommendations provided within the final deliverable. While we always strive to assist our clients with reducing risk and improving their security postures, Secure Ideas takes a hard stance against directly performing remediation actions for issues we have identified during a test, as we believe this to be a clear conflict of interest.
At Secure Ideas, we hold ourselves to high ethical standards. But trust must be earned and not every penetration testing company follows the same set of ethical standards (as is demonstrated way too often in the media). It is feasible that an unethical penetration tester might report a finding as higher risk or not remove false positives and then offer to remediate it, hence the conflict of interest.
While not likely, there is also the potential after the initial testing for security firms to be overly aggressive in recommending remediation, or to inflate the scope of work needed to provide fixes in order to benefit the testing company. In other words, it is easy to find glaring flaws or exaggerate the extent of the issues if it aids those performing the assessment. However, the other side of the coin is when a penetration testing firm performs the testing with no thought of benefiting their own organization. Secure Ideas focuses on truly empowering the customer with the knowledge of the current security posture of their systems and infrastructure. The result is an unbiased explanation of the state of the client's overall infrastructure. This is the highest standard of professionalism in our industry, and what we hold ourselves to in all endeavors.
We're not in the business of deceiving our clients, so we've decided that while we're happy to discuss various steps toward mitigating risk, and making adequate remediations, we simply do not want to allow any level of skepticism to creep up in the minds of our clients.