Many of the most important assets organizations own are in the form of information. These include intellectual property, strategic plans and customer data. As we have seen in recent news reports, the cost of a data breach can be significant. Interestingly, one of the main areas of weakness in organizations’ IT infrastructures occurs where people don’t expect it — in the application layer.
The majority of applications aren’t built with security in mind, and they become the weakest link that attackers can exploit to carry out data breaches. According to a recent IBM X-Force Threat Intelligence Quarterly report, out of the 8,330 vulnerability disclosures in 2013, 33 percent were categorized as Web application vulnerabilities.
Taking the First Step in Application Security
Addressing application security can be quite challenging. Large organizations manage thousands of applications, and the task of ensuring their security typically falls on the shoulders of a small, overburdened security team. Unlike other areas of security that are well understood, such as network security and host security, organizations often struggle to find the right way to approach application security. When the severity of the problem becomes obvious, their first reaction is typically to start looking for tools that can scan applications and help detect vulnerabilities. Once the tool has been acquired, the task at hand becomes running application scans. While finding vulnerabilities is important, organizations quickly discover that fully testing all apps and fixing all vulnerabilities is virtually impossible. It becomes difficult to get a full grasp on the problem and make progress toward fixing it.
Understanding Which Assets Need to Be Protected
Application security, just like any other area of security, is about understanding, managing and mitigating risk to critical assets. Unless the approach taken to address application security is based on managing risk, an organization’s application security initiative will likely never become effective.
It may be a surprise to some, but the first step toward better application security is not running scans to discover vulnerabilities. Rather, it is understanding which assets you have to protect. Start by building and understanding the inventory of applications deployed in your organization and classifying and ranking these assets by relative business impact.
Once the inventory has been completed, security teams can focus on applications that are most critical to their organizations. Conducting vulnerability assessments is important, and automated scanning tools can save a lot of time. However, that process needs to be completed after you’ve determined which assets need to be protected.
Focus Your Efforts on Vulnerabilities That Present the Highest Risk
The next challenge is figuring out which vulnerabilities present the highest level of risk. Application vulnerabilities can be difficult to address because they require code changes and, in some cases, even application redesigns. Development teams are typically on tight schedules and under a significant amount of pressure to deliver capabilities. Fixing vulnerabilities can be difficult and time-consuming. Therefore, when evaluating and addressing vulnerabilities, taking a risk-based approach is required.
Vulnerabilities need to be evaluated in the context of the applications in which they reside. A SQL injection vulnerability may be extremely critical in one application but insignificant in another. It all depends on the application’s business impact and other mitigating factors. There are various techniques for ranking vulnerabilities. One that is popular in the industry is the Common Vulnerability Scoring System.
In order to get a sense of the application security posture of your organization, it is helpful to calculate a security risk rating for each application. Each organization will tailor its risk-rating philosophy and how application risk scores are calculated, but generally, it is the function of the application’s business impact and vulnerabilities that are identified. Ranking applications by their security risk score enables security teams and management contacts to obtain a snapshot of the current state of application security and to observe whether they are effectively mitigating risk over time.
Taking a strategic, risk-based approach is what enables organizations to get a handle on the problem of application security.