Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The 5 Stages of Security Risk in Web Applications


Published on

Why a cradle-to-grave approach to managing vulnerabilities is the best defense against today’s massive security breaches.

Published in: Software
  • Be the first to comment

  • Be the first to like this

The 5 Stages of Security Risk in Web Applications

  1. 1. Why a cradle-to-grave approach to managing vulnerabilities is the best defense against today’s massive security breaches THE 5 STAGES OF APPLICATION SECURITY RISKS
  2. 2. Hacks, attacks and full-blown assaults on companies worldwide have become regular events in recent years. What is one of the most common source of breaches? Web applications. The Verizon 2015 Data Breach Investigations Report found that web applications account for as much as 35 percent of breaches in some industries.1 While there's no way to be completely impervious to all of today's threats, a key component of a strong application security program involves spotting potential problems and diffusing them before a breach takes place. The 5 Stages of Application Security Risks | 01
  3. 3. It's certainly no news flash that cybercrooks are an opportunistic bunch. According to the Verizon report, 98 percent of web application attacks aim at easy marks such as coding errors and unprotected applications.2 What's more, these intrusions and breaches can take place at any stage of the software lifecycle, which makes it essential to monitor conditions throughout all five lifecycle stages: Design Development Upgrade and Patches Deployment Maintenance Veracode has found that a typical organization has, on average, 30 percent more websites and web pages than it officially recognizes. Making matters worse, about 80 percent of applications written in web scripting languages are vulnerable to at least one threat risk at the time of an initial assessment.3 TWEET THIS The 5 Stages of Application Security Risks | 02
  4. 4. The 5 Stages of Application Security Risks | 03 Use of Stolen Credentials 51% Use of Backdoor or C2 41% SQL Injection 19% Remote File Inclusion (RFI) 8% Abuse of Functionality 8% WHAT ARE THE MOST COMMON ATTACK METHODS?4 SURVEYING THE DANGERS You should launch your application security initiative before any code is ever written and continue your efforts through the entire software lifecycle. There are risks at each stage.
  5. 5. The design stage is critical because it establishes an organization’s overall web application security framework. The biggest risks at this stage include: According to Veracode initial assessment scan data, vulnerabilities in various scripting languages range from about 21 percent for Java to 64 percent for Microsoft Classic.5 Design Poor design of security technologies such as password management, failure to incorporate multifactor authentication, or other authentication and authorization technologies Practices and procedures that allow inadvertent or malicious abuse of resources, such as poor or no threat modeling, as well as a failure to anticipate and/or defend against possible paths of attack Software and code that fails to address specific and known vulnerabilities Applications and software that are used differently than originally intended and, therefore, are in a new risk landscape, such as applications that are newly deployed in the cloud Practices and procedures that allow inadvertent or malicious abuse of resources The 5 Stages of Application Security Risks | 04 TWEET THIS
  6. 6. During the development stage, it's vital to focus on several issues that directly impact security. Among the biggest risks: A lack of standards and standard libraries for software coding, including data format validation and database validation A lack of governance structure and standards that encompasses API libraries, coding libraries and open-source scripting Too little emphasis on testing software for application security issues, or managing the process at too late of a stage or in an ad hoc way. This is a major concern in Agile and DevOps environments. No mechanism for staying current about new threats and recently discovered bugs in the code base — as well as a systematic and effective way to find all instances of a vulnerability A lack of developer knowledge about security that leads to errors and programming gaps Development The 5 Stages of Application Security Risks | 05
  7. 7. Little or no focus on testing of software to determine whether it's vulnerable Avoiding or underutilizing testing in a race to deploy applications and software rapidly No use of scanning tools that identify vulnerabilities before hackers can exploit them. The average organization has about 30 percent more web applications and pages than it knows about. In some cases, "Shadow IT" — or unauthorized IT systems — represents a risk as well. A lack of consideration for protection security tools, such as a web application firewall or runtime application self-protection (RASP) As an organization rolls out a web application, there's a focus on ramping up new or improved functionality. But too often, during this phase, security takes a back seat. Here's how an organization can get hurt: Deployment The 5 Stages of Application Security Risks | 06
  8. 8. This phase is paramount because it represents an opportunity for developers and security teams to reassess and improve the level of application security. Here are some of the pain points: An organization may overlook rescanning and reassessing web applications after updates. As a result, they miss emerging vulnerabilities and fail to fix existing risks. Development teams and others don't adequately update information about components and software versions — thus leading to incomplete information and larger threat exposure. Upgrade and Patches The 5 Stages of Application Security Risks | 07 Do you know where the vulnerabilities in your organization’s software come from? Our informative guide, How Do Vulnerabilities Get Into Software?, reveals the four main sources, so you’re better equipped to create an application security strategy that will protect your business and reduce your risk. LEARN MORE
  9. 9. Viewing web application security as static and failing to reassess periodically — particularly when major hardware, operating system or application changes take place. Risk levels may increase or decrease as IT changes take place. Overlooking metrics that provide concrete information about risks and help convince senior management to budget for specific cybersecurity tools and solutions Today, business and IT environment change — and on a daily basis. As organizations migrate to clouds, harness the Internet of Things and advance web and mobile applications, new risks materialize. A few of the common risks at this stage: Maintenance TWEET THIS The 5 Stages of Application Security Risks | 08
  10. 10. Embracing a More Secure Model A holistic and comprehensive framework — and one that addresses potential risks and threats — goes a long way toward building a better enterprise cybersecurity strategy. WANT TO LEARN MORE ABOUT APPLICATION SECURITY? Get all the latest news, tips and articles delivered right to your inbox by subscribing to our blog. Subscribe Now The 5 Stages of Application Security Risks | 09
  11. 11. Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market — without compromising security. Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures. Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands. Learn more at, on the Veracode blog and on Twitter. ABOUT VERACODE 1 Verizon 2015 Data Breach Investigations Report, Verizon, April 2015. 2 Ibid. 3 “Four Out of Five Applications Written in Web Scripting Languages Fail OWASP Top 10 Upon First Assessment,” Veracode, December 3, 2015. 4 Verizon 2015 Data Breach Investigations Report, Verizon, April 2015. 5 State of Software Security: Focus on Application Development, Supplement to Volume 6, Veracode, Fall 2015.