There are two frameworks you can use to write better recommendations:

• IPDRR
• Security Design Principles

IPDRR

Identify - How to identify the vulnerability in the code-base or infrastructe?

Protect - How to protect the application by mitigating or remediating the vulnerability?

Detect - How to detect if this vulnerability is being exploited in the run time? How to detect past evidences of exploitation?

Respond - How to respond once you have detected the breach?

Recover - How to recover from the breach and get back in to usual business?

Security Design Principles

When in doubt, look at the security-issue from a design standpoint. Then find a match from the table below, and expand on the idea.

Bad	Good
Spoofing	Authentication
Tampering	Integrity
Repudiation	Accountability
Information Disclosure	Confidentiality
Denial Of Service	Availability
Elevation Of Privilege	Authorization
Negative Security Model	Positive Security Model
Single Security Point	Defense In-Depth
Fail Open	Fail Close
Great Privilege	Least Privilege
Closed Design	Open Design
Security Through Obscurity	Keep It Simple
Ignore Intrusions	Detect Intrusions
Opt-in Security	Secure Defaults
Trust Everything	Trust Only You
Trust Everything	Zero Trust
Single Point Of Failure	Compartmentalize
Assume The Best	Assume The Worst
Untrusted Input	Input Validation
Insecure Randomness	Cryptographically Secure Randomness
Misconfiguration	Configuration Review
TOCTOU	Lock Before Check
Weak Passwords	Password Quality Rules
Cleartext storage	Encrypted storage
Automated Attacks	Rate Limiting
Block-list	Allow-list
Cleartext Communication	Encrypted Communication

Checklist

• Provide actionable instructions
• Be reasonable - burn not your house to fright the mouse away
• Provide or link sample secure code, configurations, etc.
• Link to corresponding sections in hardening guidelines
• Provide instructions to verify a secure implementation
• Provide alternative methods to mitigate vulnerabilities