Upload File

the 5 stages of security risk in web applications

  • Home
  • Software
  • The 5 Stages of Security Risk in Web Applications

Click here to load reader

Upload: veracode

Post on 15-Apr-2017

215 views

Category:

Software


1 download

Report

TRANSCRIPT

  • Why a cradle-to-grave approach to managing vulnerabilities is the best defense against todays massive security breaches

    THE 5 STAGES OF APPLICATION SECURITY RISKS

  • Hacks, attacks and full-blown assaults on companies worldwide have become regular events in recent years. What is one of the most common source of breaches? Web applications. The Verizon 2015 Data Breach Investigations Report found that web applications account for as much as 35 percent of breaches in some industries.1

    While there's no way to be completely impervious to all of today's threats, a key component of a strong application security program involves spotting potential problems and diffusing them before a breach takes place.

    The 5 Stages of Application Security Risks | 01

  • It's certainly no news flash that cybercrooks are an opportunistic bunch. According to the Verizon report, 98 percent of web application attacks aim at easy marks such as coding errors and unprotected applications.2 What's more, these intrusions and breaches can take place at any stage of the software lifecycle, which makes it essential to monitor conditions throughout all five lifecycle stages:

    Design Development

    Upgrade and Patches

    Deployment

    Maintenance

    Veracode has found that a typical organization has, on

    average, 30 percent more websites and web pages than it officially

    recognizes. Making matters worse, about 80 percent of applications written in web scripting languages are vulnerable

    to at least one threat risk at the time of an initial assessment.3

    TWEET THIS

    The 5 Stages of Application Security Risks | 02

    http://ctt.ec/KmD77

  • The 5 Stages of Application Security Risks | 03

    Use of Stolen Credentials

    51%

    Use of Backdoor or C2

    41%

    SQL Injection

    19%

    Remote File Inclusion (RFI)

    8%

    Abuse of Functionality

    8%

    WHAT ARE THE MOST COMMON ATTACK METHODS?4

    SURVEYING THE DANGERSYou should launch your application security initiative before any code is ever written and continue

    your efforts through the entire software lifecycle. There are risks at each stage.

  • The design stage is critical because it establishes an organizations overall web application security framework. The biggest risks at this stage include:

    According to Veracode initial assessment scan data,

    vulnerabilities in various scripting languages range from about 21 percent for Java to 64 percent for Microsoft Classic.5

    Design

    Poor design of security technologies such as password management, failure to incorporate multifactor authentication, or other authentication and authorization technologies

    Practices and procedures that allow inadvertent or malicious abuse of resources, such as poor or no threat modeling, as well as a failure to anticipate and/or defend against possible paths of attack

    Software and code that fails to address specific and known vulnerabilities

    Applications and software that are used differently than originally intended and, therefore, are in a new risk landscape, such as applications that are newly deployed in the cloud

    Practices and procedures that allow inadvertent or malicious abuse of resources

    The 5 Stages of Application Security Risks | 04

    TWEET THIS

    http://ctt.ec/3qN2g

  • During the development stage, it's vital to focus on several issues that directly impact security. Among the biggest risks:

    A lack of standards and standard libraries for software coding, including data format validation and database validation

    A lack of governance structure and standards that encompasses API libraries, coding libraries and open-source scripting

    Too little emphasis on testing software for application security issues, or managing the process at too late of a stage or in an ad hoc way. This is a major concern in Agile and DevOps environments.

    No mechanism for staying current about new threats and recently discovered bugs in the code base as well as a systematic and effective way to find all instances of a vulnerability

    A lack of developer knowledge about security that leads to errors and programming gaps

    Development

    The 5 Stages of Application Security Risks | 05

  • Little or no focus on testing of software to determine whether it's vulnerable

    Avoiding or underutilizing testing in a race to deploy applications and software rapidly

    No use of scanning tools that identify vulnerabilities before hackers can exploit them. The average organization has about 30 percent more web applications and pages than it knows about. In some cases, "Shadow IT" or unauthorized IT systems represents a risk as well.

    A lack of consideration for protection security tools, such as a web application firewall or runtime application self-protection (RASP)

    As an organization rolls out a web application, there's a focus on ramping up new or improved functionality. But too often, during this phase, security takes a back seat. Here's how an organization can get hurt:

    Deployment

    The 5 Stages of Application Security Risks | 06

  • This phase is paramount because it represents an opportunity for developers and security teams to reassess and improve the level of application security. Here are some of the pain points:

    An organization may overlook rescanning and reassessing web applications after updates. As a result, they miss emerging vulnerabilities and fail to fix existing risks.

    Development teams and others don't adequately update information about components and software versions thus leading to incomplete information and larger threat exposure.

    Upgrade and Patches

    The 5 Stages of Application Security Risks | 07

    Do you know where the vulnerabilities in your organizations software come from? Our informative guide, How Do Vulnerabilities Get Into Software?, reveals the four main sources, so youre better equipped to create an application security strategy that will protect your business and reduce your risk.

    LEARN MORE

    http://vera.cd/vulnerabilities

  • Viewing web application security as static and failing to reassess periodically particularly when major hardware, operating system or application changes take place. Risk levels may increase or decrease as IT changes take place.

    Overlooking metrics that provide concrete information about risks and help convince senior management to budget for specific cybersecurity tools and solutions

    Today, business and IT environment change and on a daily basis. As organizations migrate to clouds, harness the Internet of Things and advance web and mobile applications, new risks materialize. A few of the common risks at this stage:

    Maintenance

    TWEET THIS

    The 5 Stages of Application Security Risks | 08

    http://ctt.ec/x1gXF

  • Embracing a More Secure ModelA holistic and comprehensive framework and one that addresses

    potential risks and threats goes a long way toward building a better enterprise cybersecurity strategy.

    WANT TO LEARN MORE ABOUT APPLICATION SECURITY?

    Get all the latest news, tips and articles delivered right to your inbox by subscribing to our blog.

    Subscribe Now

    The 5 Stages of Application Security Risks | 09

    https://info.veracode.com/blog-subscribe.html

  • Veracode is a leader in securing web, mobile and third-party applications for the worlds largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market without compromising security.

    Veracodes powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.

    Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes 100 Most Valuable Brands. Learn more at www.veracode.com, on the Veracode blog and on Twitter.

    ABOUT VERACODE

    1 Verizon 2015 Data Breach Investigations Report, Verizon, April 2015.

    2 Ibid.

    3 Four Out of Five Applications Written in Web Scripting Languages Fail OWASP Top 10 Upon First Assessment, Veracode, December 3, 2015.

    4 Verizon 2015 Data Breach Investigations Report, Verizon, April 2015.

    5 State of Software Security: Focus on Application Development, Supplement to Volume 6, Veracode, Fall 2015.

    http://http://www.veracode.com/http://www.veracode.com/bloghttps://twitter.com/Veracodehttps://www.facebook.com/VeracodeInchttps://twitter.com/Veracodehttps://www.linkedin.com/company/veracodehttp://www.veracode.com/bloghttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015_en_xg.pdfhttp://www.gartner.com/newsroom/id/2828722https://www.veracode.com/four-out-of-five-applications-written-in-web-scripting-languages-fail-owasp-top-10-upon-first-assessmenthttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015_en_xg.pdfhttps://info.veracode.com/state-of-software-security-report-volume6-pt2.html


Risk Assessment Applications of Fuzzy Logic

ATestforDensityForecastComparisonwith Applications to Risk

Conditional Value-at-Risk: Theory and Applications

Modified Risk Tobacco Product Applications€¦ · Modified Risk Tobacco Product Applications ... modified risk tobacco products ... of the FD&C Act. If the modified risk tobacco

Decision Analysis and Risk Analysis Applications

- RISK-INFORMED APPLICATIONS SCOPE Donnie …- RISK-INFORMED APPLICATIONS Donnie Harrison U.S. Nuclear Regulatory Commission [email protected] 301.415.2470 RISKRISK- -INFORMED

SURVEILLANCE AND RISK MANAGEMENT DURING THE LATTER STAGES OF ERADICATION AUSTRALIA BRIAN RADUNZ

Heather Dawe: Applications of risk estimation

Interdisciplinary GIS Applications in Challenging RISK

Risk of Injury and Stages of Development · 2018-11-07 · Risk of Injury and Stages of Development Successful Solutions Professional Development LLC Children are at risk for injuries

Copulas Applications in Estimating Value-at-Risk (VaR ... · 496 Copulas Applications in Estimating Value-at-Risk (VaR): Iranian Crude Oil Prices 1. Introduction Risk measurement

GLOBAL ENTERPRISE RISK MANAGEMENT · PDF fileGLOBAL ENTERPRISE RISK MANAGEMENT SURVEY 2010 1 ... AZ ELECTROniC mATERiALS ... stages of ERm program development,

High-Performance Long-Travel Linear Motor Stages · Motor Stages IMS-LM-S SerIeS The IMS-LM-S series of linear motor stages are designed for self-supporting applications with travel

Organization chart template 3d linear flow risk management process 6 stages powerpoint slides

Risk Measurement and Risk Modelling Using Applications of ... · financial risk. Copula-based dependence modelling is a popular tool in financial applications, but is usually applied

Private Applications of Local Government Risk Metrics

Measures and Risk Factors Beyond Risk Parity: Using Non-Gaussian Risk · Risk Parity with Non-Gaussian Risk Measures Risk Parity Portfolios with Risk Factors Applications The risk

Risk Catalog for Mobile Applications

Managing-H-S-during-the-six-project-stages-to-reduce-risk

Mortality Risk Modeling: Applications to Insurance ...cbafiles.unl.edu/public/cbainternal/researchlibrary/Mortality Risk Modeling...Applications to Insurance Securitization By Samuel

Credit derivatives: applications, pricing and risk management

Enterprise Risk Management Applications & Case Studies

Geospatial Applications for Disaster Risk Management

Practical applications of biomarkers and risk stratificationstatic.livemedia.gr/livemedia/documents/al18173_us75_20160514170903... · Practical applications of biomarkers and risk

Training for Applications with Governance, Risk and

Clinical Applications of Risk Prediction Models

Modified Risk Tobacco Product Applications

The 8 Stages of Outsourcing: A Process to Mitigate Vendor Risk

Political Risk and Emerging Market Equities: Applications

Credit Risk Modelling: Current Practices and Applications

Tools - Applications Risk Management

Mechanics and Stages for Light Measurement Applications

Extension Risk Management Education Competitive Grants ... · applications for the Extension Risk Management Education Competitive Grants Program. This announcement seeks applications

Lecture 7 Value at Risk Models: applications, limits ... · Value at Risk Models: applications, limits & expected shortfall Giampaolo Gabbi Financial Investments and Risk Management

La terapia del Linfoma di Hodgkin La Radioterapia · Classical Hodgkin Lymphoma Early stages: Without risk factors (Favourable) With risk factors (Unfavourable) Advanced stages (bulky