The Application Security Challenge
If you are a security and risk professional working with software developers and quality assurance teams, a familiar sight on Gantt and Pareto charts is a tiny red light among all the green ones, which tends to go unresolved until the last stages of a product release: security testings.
Software applications support the most sensitive and strategically important business processes of most enterprises. Yet application security is one of the most neglected fields of cybersecurity. According to “The State of Risk-Based Security Management,” conducted by the Ponemon Institute, organizations’ IT budgets for network security are, on average, 25 percent more than that for application security. This is despite the fact that the application layer is twice as risk-prone as the network layer.
Why You Need to Ditch the Bandages
Every software application, Web or mobile, has a bug waiting to be discovered. While applications are growing at a rapid pace across organizations, the task of securing them usually falls on a severely understaffed IT team. And because security is treated purely as a technical discipline, its measurement — particularly its effects on business outcomes and overall risk posture — is often informal at best. A Gartner analysis titled “Risk and Security Management in Midsize Organizations” found that a majority of organizations do not have a formal mechanism to assess organizationwide risk. This could mean that unacceptable threats routinely go unaddressed, leaving organizations noncompliant with external regulations and ultimately vulnerable to attacks.
What happens when there is little understanding of where the work involved in securing applications begins and ends?
- The “Band-Aid®” Approach: Activities for assessing, prioritizing and remediating application vulnerabilities are ad hoc, fragmented and carried out at low levels in the IT security organization.
- The “Ostrich With Its Head in the Sand” Approach: IT and business management typically have no visibility into the overall state of application security.
- The “It’ll All Work Out Somehow” Approach: Quality assurance and software development groups lack the knowledge and incentives to address critical vulnerabilities early in application development life cycles, where it is most cost-effective.
Reactively securing applications is no longer enough to deal with the ever-growing number of applications and vulnerabilities.
Risk-Based Application Security Management
Managing security is really all about managing risk. You can make application security a strategically managed discipline by following a five-step process:
1. Create an Inventory of Application Assets and Assess Impact
According to a SANS Institute study, more than one-fourth of respondents didn’t know how many applications their organization used or managed. In order for any application security initiative to be effective, it is imperative to begin by understanding which application assets need to be protected. Start by building and understanding the inventory of applications deployed in your organization and ranking these assets by relative business impact.
2. Test the Applications for Vulnerabilities
Conducting vulnerability assessments is important, and automated scanning tools can save a lot of time. But ensuring that you have determined beforehand what assets need to be scanned saves you an aspirin.
There are various scanning technologies and techniques that can each assess different levels of vulnerabilities, but none can solve for all security risks. For instance, dynamic analysis technology provides automated vulnerability discovery but does not show why the vulnerability exists or specifically where it lives — which static analysis tools can. Manual penetration testers bring in the human interface needed to focus on vulnerabilities that require business logic skills for discovery. All three work better together than implementing them piecemeal. Thus, look to adopt multiple tools and techniques to help you manage, discover and remedy insecure applications within your enterprise.
3. Determine the Risks and Prioritize the Vulnerabilities
Once you assess the business criticality of applications and the vulnerabilities within them, you are primed to analyze the risk profile of your portfolio. Ranking applications by their security risk score enables security teams and management contacts to obtain a snapshot of the current state of application security and observe whether they are effectively mitigating risk over time.
4. Remediate the Risks
The risk-rating approach to remediation allows security managers to deploy the right resources to solve for the crown jewels first. While fixing code is the most common and effective way to remediate vulnerabilities, technologies like Web application firewalls, virtual patching and runtime application self-protection (RASP) are good short-term alternatives.
In essence, remediation is not just about fixing individual defects. Security managers should look for opportunities to improve underlying processes.
5. Measure Progress and Demonstrate Compliance
According to the “2015 State of Application Security: Closing the Gap” study by the SANS Institute, 47 percent of respondents (representing the majority) felt that the effectiveness of their application security programs needed improvement, whether evaluated internally (47 percent) or in comparison to other organizations (36 percent).
The five-step approach explained here unlocks a gold mine of trend data that shows progress — or a lack of it — for teams and business units in terms of high-priority vulnerabilities, total vulnerabilities and vulnerabilities of specific types. With the right application security data, security managers can answer questions such as: Is the overall risk posture of the organization improving? Are we allocating resources where they will have the greatest impact reducing business risk?
The Bottom Line
Putting bandages on your application layer vulnerabilities will only delay the inevitable. In order to truly mitigate risk, your organization needs a risk-based, strategic and preventive approach to application security.
You should know how many applications your firm has, develop an effective application security process to keep your resources accountable through discovery and remediation in the SDLC and constantly measure and reassess the needs of your business.
Download a complimentary copy of our Ponemon Institute study to learn more about application security risk management challenges faced by organizations like yours.
Product Marketing Manager
Major Events Content Strategist for IBM Security