Many of the most important assets organizations own are in the form of information. These include intellectual property, strategic plans and customer data. As we have seen in recent news reports, the cost of a data breach can be significant. Interestingly, one of the main areas of weakness in organizations’ IT infrastructures occurs where people don’t expect it — in the application layer.

The majority of applications aren’t built with security in mind, and they become the weakest link that attackers can exploit to carry out data breaches. According to a recent IBM X-Force Threat Intelligence Quarterly report, out of the 8,330 vulnerability disclosures in 2013, 33 percent were categorized as Web application vulnerabilities.

Taking the First Step in Application Security

Addressing application security can be quite challenging. Large organizations manage thousands of applications, and the task of ensuring their security typically falls on the shoulders of a small, overburdened security team. Unlike other areas of security that are well understood, such as network security and host security, organizations often struggle to find the right way to approach application security. When the severity of the problem becomes obvious, their first reaction is typically to start looking for tools that can scan applications and help detect vulnerabilities. Once the tool has been acquired, the task at hand becomes running application scans. While finding vulnerabilities is important, organizations quickly discover that fully testing all apps and fixing all vulnerabilities is virtually impossible. It becomes difficult to get a full grasp on the problem and make progress toward fixing it.

Understanding Which Assets Need to Be Protected

Application security, just like any other area of security, is about understanding, managing and mitigating risk to critical assets. Unless the approach taken to address application security is based on managing risk, an organization’s application security initiative will likely never become effective.

It may be a surprise to some, but the first step toward better application security is not running scans to discover vulnerabilities. Rather, it is understanding which assets you have to protect. Start by building and understanding the inventory of applications deployed in your organization and classifying and ranking these assets by relative business impact.

Once the inventory has been completed, security teams can focus on applications that are most critical to their organizations. Conducting vulnerability assessments is important, and automated scanning tools can save a lot of time. However, that process needs to be completed after you’ve determined which assets need to be protected.

Focus Your Efforts on Vulnerabilities That Present the Highest Risk

The next challenge is figuring out which vulnerabilities present the highest level of risk. Application vulnerabilities can be difficult to address because they require code changes and, in some cases, even application redesigns. Development teams are typically on tight schedules and under a significant amount of pressure to deliver capabilities. Fixing vulnerabilities can be difficult and time-consuming. Therefore, when evaluating and addressing vulnerabilities, taking a risk-based approach is required.

Vulnerabilities need to be evaluated in the context of the applications in which they reside. A SQL injection vulnerability may be extremely critical in one application but insignificant in another. It all depends on the application’s business impact and other mitigating factors. There are various techniques for ranking vulnerabilities. One that is popular in the industry is the Common Vulnerability Scoring System.

In order to get a sense of the application security posture of your organization, it is helpful to calculate a security risk rating for each application. Each organization will tailor its risk-rating philosophy and how application risk scores are calculated, but generally, it is the function of the application’s business impact and vulnerabilities that are identified. Ranking applications by their security risk score enables security teams and management contacts to obtain a snapshot of the current state of application security and to observe whether they are effectively mitigating risk over time.

Taking a strategic, risk-based approach is what enables organizations to get a handle on the problem of application security.

More from Application Security

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments.During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I will…

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today