Risk-Based Application Security Management

In a large organization with thousands of applications and a small security team, a strategic application security management system is required to sustain security at the enterprise level. AppScan Enterprise 9.0 offers a risk-based approach to efficiently address this requirement. However, a single measure of risk that can properly correspond to every organization’s strategy cannot be strictly determined and programmed. With IBM AppScan Enterprise 9.0, organizations can define risk based on their own strategy.

A measure for risk can be determined on an application by factors such as access, business impact, significance of security threats and so on. All these factors can be customized and programmed into AppScan Enterprise’s calculations. With this flexibility, managers can define rules to measure risk and then automatically classify or rank applications based on that risk to help them make reliable and resource-efficient decisions.

Creating an Application Security Inventory

To build an inventory of applications, the applications can be added to the system by specifying their properties one by one or by importing a file in .csv format. The result is a list of applications that can be easily filtered to search for specific criteria (Image 1). To assist analysis of a large inventory of applications, a visualized summary of the data is also provided (Image 2).

Image 1: Inventory of applications with ability to be filtered and sorted*

Image 2: Interactive visualized summary of the important properties of applications.*

Customized Definition and Classification of Applications

All security teams have their own rules and requirements, and AppScan Enterprise 9.0 provides flexibility in defining attributes and rules based on those attributes to classify, filter and sort applications. In addition to providing all information needed by the security team for managing security threats on individual applications, this feature also enables the flexible, risk-based management process that was discussed earlier.

The system administrator can define and edit the application profile template, which consists of customizable application attributes that can be created as a single value, multiple values (comma-separated or multiline), drop-down and formulas.

Formula attributes can be used for automatic classification of applications based on multiple factors. The building blocks of formulas are the following: Basic Excel-like functions (COUNT, IF and MAX); arithmetic operators (e.g., +, %, *, >); and values of other attributes using data from applications and security issues within those applications. With a combination of these building blocks, attributes can be built to easily classify and sort applications.

Integration of Security Scans with the Inventory of Applications

For an effective application security management process, and for best addressing the security team’s needs, the inventory of applications displays the security issues that are reported in AppScan® Enterprise. All security issues, regardless of the method of discovery, are gathered in a single view in the application profile. Having all security issues consolidated in one place instead of searching for them in separate security scan reports allows for a better understanding of the security testing coverage and security status of an application. Although many security issues can be associated with an application, this view is easily filtered and sorted so that the information needed can be efficiently retrieved.

To build this consolidated view, security scans need to be associated with applications; then, the security issues found by or imported into AppScan® Enterprise will immediately appear in the application profile. Upon successive execution of these security scans, the security issues are automatically updated in the application profile.

In addition to the searchable list of security issues, a visualized summary of the issues based on their important attributes is provided at the top of the list of issues (Image 3). In this way, users can take advantage of this system based on what their current task requires them to accomplish: A detailed view of individual security issues or an aggregated summary across all scans on a specific application.

Moreover, application formula attributes can be created based on statistics about the security issues found on that application. For example, a system administrator can create an application attribute to determine application risk based on the number of high-severity issues on an application (Image 4). Thus, the same data on which development is working is rolled up into the higher view on which management bases their decisions.

Image 3: Interactive visualized summary of security issues found for an application. Clicking on each section of these charts applies relevant filters to the list of security issues reported for the application.

Image 4: A formula attribute named “Risk Based on Issues” is created, and its value is calculated based on the number of high-severity issues. This view helps to easily identify high-risk applications in the “Automotive Products” business unit.*

Making Decisions for Organizational Security

IBM® Security AppScan® Enterprise 9.0 helps you answer many questions in an informed and efficient decision-making process. To give you an idea, the following paragraph provides some examples based on the predefined attributes built into the 9.0 release. Although these attributes are predefined, their values and formulas can be customized based on different organizations’ application security management needs.

The “Security Risk Rating by Business Unit” interactive summary chart (Image 5) can be used to filter applications that present the highest risk within a business unit. Prioritize applications based on their risk rating by sorting applications using their “Risk Rating” attribute (Image 6). Find out about the status of security testing across your application portfolio by using the “Testing Status” interactive summary chart. Make decisions regarding developer training by observing the “Top Issue Types” summary chart (Image 7).

Because of its customizable nature, the extent of the questions that this system can help answer depends on the criteria defined by the system administrator. Use the application custom attributes to define properties and metrics that align with your strategy. Use the interactive summary charts and filters to find the information needed for your decision making at a glance. The information about security issues in this system is updated by developers and security team activities, giving management reliable and up-to-date data to analyze.

For further information, view brief demonstrations of how AppScan Enterprise can be used to create application inventories (video), review applications’ security risk ratings, address PCI DSS compliance requirements and gain comprehensive views of application security risk in organizations (video) like yours.

Image 5: The “Security Risk Rating by Business Unit” interactive summary chart visualizes statistics about risk rating of applications within a business unit. Clicking on each section of the chart filters the list of applications by the criteria specified on that section.

Image 6: Sort applications by “Risk Rating” and find business owners and testers responsible for the applications with high risk across a division.*

Image 7: High-severity issue types summarized in this interactive chart highlights the common areas in which developers need more training.

*The application, division and people names in these images are not based on real-world data.

more from Application Security