Application Vulnerability Management Requires a Risk-based Approach
Application security teams face unique and often daunting challenges. It’s their job to protect the organization from application vulnerabilities that can lead to data breaches. Yet, with all of this accountability they have very little of the responsibility for remediating application vulnerabilities which translates into constantly being on the proverbial hot seat. They’re quickly blamed when critical vulnerabilities aren’t fixed in a timely manner, but there’s honestly little they can actually do about it. The development teams are the only ones who can remediate those vulnerabilities, and that’s not their primary job. Usually, dev’s primary job is to get new features out quickly, not to perform security fixes.
Using Prioritization to Get Off the Hot Seat
So how can AppSec teams make their lives easier and get off the hot seat? Simple. By making dev’s lives easier. One way to do that is to prioritize which vulnerabilities should be remediated first and which to push to later (or never). But to do this, they need to understand which vulnerabilities pose the highest risk, and that requires comprehensive and truly defensible data that enables them to determine a specific risk metric for each one.
There are a multitude of application security tools available, but each one only provides a small portion of the data needed to make a judgement call; unless the data from these various tools can be correlated and de-duplicated, and then merged with information about application context and current exploit data, all of this data is simply that—data. And sifting through mounds of flat data without any additional color to help teams make sense of what it all means can be a time-consuming and relatively fruitless effort.
The Importance of Context
AppSec can’t have their development teams remediate everything—that’s not only impractical, but also unnecessary since only a relatively small portion of application vulnerabilities pose any real risk. So, to gain the upper hand against cyberattacks, application security teams need context to understand what is truly going on in their environment. By weaving together all of the security data from their various scanners, testing tools, and other sources to develop a specific risk metric for each vulnerability, they can develop a specific risk score for every single vulnerability they have. And of course, once this is done, they can easily rank order those vulnerabilities based on those specific metrics. Automation has to play a key role in this process, so that AppSec teams can quickly understand, correlate, and disseminate the intelligence. Speed and efficiency are certainly important, and automation can perform in seconds what it would take a human being hours or even days to complete. But automation can also scale to well beyond what a team of human beings could ever do.
With the appropriate context, application security teams can more easily determine which of the organization’s thousands of vulnerabilities pose the most risk and therefore appropriately prioritize what should be remediated first. And because they’ll have a comprehensive view of their true application risk posture, they’ll be in a far better position to exert an appropriate level of influence to reduce it without putting undue strain on development teams.
To learn more about the specific challenges application security teams face and how to take a risk-based approach to application vulnerability management, download our white paper, Stop Playing Catch-Up on Application Risk.
Credit: Jeff Abound, Kenna Security