Many of the most important assets organizations own are in the form of information. These include intellectual property, strategic plans and customer data. As we have seen in recent news reports, the cost of a data breach can be significant. Interestingly, one of the main areas of weakness in organizations’ IT infrastructures occurs where people don’t expect it — in the application layer.

The majority of applications aren’t built with security in mind, and they become the weakest link that attackers can exploit to carry out data breaches. According to a recent IBM X-Force Threat Intelligence Quarterly report, out of the 8,330 vulnerability disclosures in 2013, 33 percent were categorized as Web application vulnerabilities.

Taking the First Step in Application Security

Addressing application security can be quite challenging. Large organizations manage thousands of applications, and the task of ensuring their security typically falls on the shoulders of a small, overburdened security team. Unlike other areas of security that are well understood, such as network security and host security, organizations often struggle to find the right way to approach application security. When the severity of the problem becomes obvious, their first reaction is typically to start looking for tools that can scan applications and help detect vulnerabilities. Once the tool has been acquired, the task at hand becomes running application scans. While finding vulnerabilities is important, organizations quickly discover that fully testing all apps and fixing all vulnerabilities is virtually impossible. It becomes difficult to get a full grasp on the problem and make progress toward fixing it.

Understanding Which Assets Need to Be Protected

Application security, just like any other area of security, is about understanding, managing and mitigating risk to critical assets. Unless the approach taken to address application security is based on managing risk, an organization’s application security initiative will likely never become effective.

It may be a surprise to some, but the first step toward better application security is not running scans to discover vulnerabilities. Rather, it is understanding which assets you have to protect. Start by building and understanding the inventory of applications deployed in your organization and classifying and ranking these assets by relative business impact.

Once the inventory has been completed, security teams can focus on applications that are most critical to their organizations. Conducting vulnerability assessments is important, and automated scanning tools can save a lot of time. However, that process needs to be completed after you’ve determined which assets need to be protected.

Focus Your Efforts on Vulnerabilities That Present the Highest Risk

The next challenge is figuring out which vulnerabilities present the highest level of risk. Application vulnerabilities can be difficult to address because they require code changes and, in some cases, even application redesigns. Development teams are typically on tight schedules and under a significant amount of pressure to deliver capabilities. Fixing vulnerabilities can be difficult and time-consuming. Therefore, when evaluating and addressing vulnerabilities, taking a risk-based approach is required.

Vulnerabilities need to be evaluated in the context of the applications in which they reside. A SQL injection vulnerability may be extremely critical in one application but insignificant in another. It all depends on the application’s business impact and other mitigating factors. There are various techniques for ranking vulnerabilities. One that is popular in the industry is the Common Vulnerability Scoring System.

In order to get a sense of the application security posture of your organization, it is helpful to calculate a security risk rating for each application. Each organization will tailor its risk-rating philosophy and how application risk scores are calculated, but generally, it is the function of the application’s business impact and vulnerabilities that are identified. Ranking applications by their security risk score enables security teams and management contacts to obtain a snapshot of the current state of application security and to observe whether they are effectively mitigating risk over time.

Taking a strategic, risk-based approach is what enables organizations to get a handle on the problem of application security.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today