The Application Security Challenge

If you are a security and risk professional working with software developers and quality assurance teams, a familiar sight on Gantt and Pareto charts is a tiny red light among all the green ones, which tends to go unresolved until the last stages of a product release: security testings.

Software applications support the most sensitive and strategically important business processes of most enterprises. Yet application security is one of the most neglected fields of cybersecurity. According to “The State of Risk-Based Security Management,” conducted by the Ponemon Institute, organizations’ IT budgets for network security are, on average, 25 percent more than that for application security. This is despite the fact that the application layer is twice as risk-prone as the network layer.

Why You Need to Ditch the Bandages

Every software application, Web or mobile, has a bug waiting to be discovered. While applications are growing at a rapid pace across organizations, the task of securing them usually falls on a severely understaffed IT team. And because security is treated purely as a technical discipline, its measurement — particularly its effects on business outcomes and overall risk posture — is often informal at best. A Gartner analysis titled “Risk and Security Management in Midsize Organizations” found that a majority of organizations do not have a formal mechanism to assess organizationwide risk. This could mean that unacceptable threats routinely go unaddressed, leaving organizations noncompliant with external regulations and ultimately vulnerable to attacks.

What happens when there is little understanding of where the work involved in securing applications begins and ends?

  • The “Band-Aid®” Approach: Activities for assessing, prioritizing and remediating application vulnerabilities are ad hoc, fragmented and carried out at low levels in the IT security organization.
  • The “Ostrich With Its Head in the Sand” Approach: IT and business management typically have no visibility into the overall state of application security.
  • The “It’ll All Work Out Somehow” Approach: Quality assurance and software development groups lack the knowledge and incentives to address critical vulnerabilities early in application development life cycles, where it is most cost-effective.

Reactively securing applications is no longer enough to deal with the ever-growing number of applications and vulnerabilities.

Risk-Based Application Security Management

Managing security is really all about managing risk. You can make application security a strategically managed discipline by following a five-step process:

1. Create an Inventory of Application Assets and Assess Impact

According to a SANS Institute study, more than one-fourth of respondents didn’t know how many applications their organization used or managed. In order for any application security initiative to be effective, it is imperative to begin by understanding which application assets need to be protected. Start by building and understanding the inventory of applications deployed in your organization and ranking these assets by relative business impact.

2. Test the Applications for Vulnerabilities

Conducting vulnerability assessments is important, and automated scanning tools can save a lot of time. But ensuring that you have determined beforehand what assets need to be scanned saves you an aspirin.

There are various scanning technologies and techniques that can each assess different levels of vulnerabilities, but none can solve for all security risks. For instance, dynamic analysis technology provides automated vulnerability discovery but does not show why the vulnerability exists or specifically where it lives — which static analysis tools can. Manual penetration testers bring in the human interface needed to focus on vulnerabilities that require business logic skills for discovery. All three work better together than implementing them piecemeal. Thus, look to adopt multiple tools and techniques to help you manage, discover and remedy insecure applications within your enterprise.

3. Determine the Risks and Prioritize the Vulnerabilities

Once you assess the business criticality of applications and the vulnerabilities within them, you are primed to analyze the risk profile of your portfolio. Ranking applications by their security risk score enables security teams and management contacts to obtain a snapshot of the current state of application security and observe whether they are effectively mitigating risk over time.

4. Remediate the Risks

The risk-rating approach to remediation allows security managers to deploy the right resources to solve for the crown jewels first. While fixing code is the most common and effective way to remediate vulnerabilities, technologies like Web application firewalls, virtual patching and runtime application self-protection (RASP) are good short-term alternatives.

In essence, remediation is not just about fixing individual defects. Security managers should look for opportunities to improve underlying processes.

5. Measure Progress and Demonstrate Compliance

According to the “2015 State of Application Security: Closing the Gap” study by the SANS Institute, 47 percent of respondents (representing the majority) felt that the effectiveness of their application security programs needed improvement, whether evaluated internally (47 percent) or in comparison to other organizations (36 percent).

The five-step approach explained here unlocks a gold mine of trend data that shows progress — or a lack of it — for teams and business units in terms of high-priority vulnerabilities, total vulnerabilities and vulnerabilities of specific types. With the right application security data, security managers can answer questions such as: Is the overall risk posture of the organization improving? Are we allocating resources where they will have the greatest impact reducing business risk?

The Bottom Line

Putting bandages on your application layer vulnerabilities will only delay the inevitable. In order to truly mitigate risk, your organization needs a risk-based, strategic and preventive approach to application security.

You should know how many applications your firm has, develop an effective application security process to keep your resources accountable through discovery and remediation in the SDLC and constantly measure and reassess the needs of your business.

Download a complimentary copy of our Ponemon Institute study to learn more about application security risk management challenges faced by organizations like yours.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today