Many of the most important assets organizations own are in the form of information. These include intellectual property, strategic plans and customer data. As we have seen in recent news reports, the cost of a data breach can be significant. Interestingly, one of the main areas of weakness in organizations’ IT infrastructures occurs where people don’t expect it — in the application layer.

The majority of applications aren’t built with security in mind, and they become the weakest link that attackers can exploit to carry out data breaches. According to a recent IBM X-Force Threat Intelligence Quarterly report, out of the 8,330 vulnerability disclosures in 2013, 33 percent were categorized as Web application vulnerabilities.

Taking the First Step in Application Security

Addressing application security can be quite challenging. Large organizations manage thousands of applications, and the task of ensuring their security typically falls on the shoulders of a small, overburdened security team. Unlike other areas of security that are well understood, such as network security and host security, organizations often struggle to find the right way to approach application security. When the severity of the problem becomes obvious, their first reaction is typically to start looking for tools that can scan applications and help detect vulnerabilities. Once the tool has been acquired, the task at hand becomes running application scans. While finding vulnerabilities is important, organizations quickly discover that fully testing all apps and fixing all vulnerabilities is virtually impossible. It becomes difficult to get a full grasp on the problem and make progress toward fixing it.

Understanding Which Assets Need to Be Protected

Application security, just like any other area of security, is about understanding, managing and mitigating risk to critical assets. Unless the approach taken to address application security is based on managing risk, an organization’s application security initiative will likely never become effective.

It may be a surprise to some, but the first step toward better application security is not running scans to discover vulnerabilities. Rather, it is understanding which assets you have to protect. Start by building and understanding the inventory of applications deployed in your organization and classifying and ranking these assets by relative business impact.

Once the inventory has been completed, security teams can focus on applications that are most critical to their organizations. Conducting vulnerability assessments is important, and automated scanning tools can save a lot of time. However, that process needs to be completed after you’ve determined which assets need to be protected.

Focus Your Efforts on Vulnerabilities That Present the Highest Risk

The next challenge is figuring out which vulnerabilities present the highest level of risk. Application vulnerabilities can be difficult to address because they require code changes and, in some cases, even application redesigns. Development teams are typically on tight schedules and under a significant amount of pressure to deliver capabilities. Fixing vulnerabilities can be difficult and time-consuming. Therefore, when evaluating and addressing vulnerabilities, taking a risk-based approach is required.

Vulnerabilities need to be evaluated in the context of the applications in which they reside. A SQL injection vulnerability may be extremely critical in one application but insignificant in another. It all depends on the application’s business impact and other mitigating factors. There are various techniques for ranking vulnerabilities. One that is popular in the industry is the Common Vulnerability Scoring System.

In order to get a sense of the application security posture of your organization, it is helpful to calculate a security risk rating for each application. Each organization will tailor its risk-rating philosophy and how application risk scores are calculated, but generally, it is the function of the application’s business impact and vulnerabilities that are identified. Ranking applications by their security risk score enables security teams and management contacts to obtain a snapshot of the current state of application security and to observe whether they are effectively mitigating risk over time.

Taking a strategic, risk-based approach is what enables organizations to get a handle on the problem of application security.

More from Application Security

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…