Ransomware, data leaks, unauthorized database accesses — these seem to be the business world’s most often mentioned buzzwords these days. It’s surprising how these words have found space within business vocabulary, in spite of their technical nature. The reason — relentless media coverage about all kinds of security breaches in the past couple of years. One terrific aspect that’s come out of the frenzy is that data and systems security is getting more serious thought. Business leaders and their IT counterparts both understand the risks of application security, and are striving to plug all kinds of security gaps and flaws on insecure apps.
If you too are looking to secure all applications in use within your enterprise, this guide will help you with some time-tested and highly relevant best practices.
Application security stock-taking
The last decade has been a massive overhaul in terms of IT applications for most businesses. From payment processing gateways to inventory management software, from cloud storage to project management tools, from communication forums to enterprise resource planning suites – the list goes on and on. Just like the list of superlatives you can cite for “Transformers 5” since that movie was so incredible, but that is another topic.
Now, to make your enterprise’s application ecosystem fully secure, you need to take complete stock of the applications in the picture. Be prepared for surprises, because you’ll find applications you never knew existed!
No web application security model can be implemented without a complete stock sheet of all digital assets involved.
The bare minimum information you need is the number of applications, last updated versions, need to continue usage, deployment modes, number and nature of layers within applications, and existing security methods in use for the application. This helps you understand the amount of the security upgrade and patching exercise that needs to be completed.
Categorize applications by criticality and nature
Now that you have a list of all applications being used in the enterprise, you would immediately need to categorize them under labels such as “critical,” “important,” “routine,” “barely used,” “can be decommissioned,” etc. This exercise is best done in parallel with the application security stock-taking, because it will consume a lot of time if you need to go back to stakeholders for follow-up questions.
- Applications that are front-facing (interfaced with vendors and customers, and hosting sensitive financial information) need immediate and focused attention from a security perspective.
- Important applications (that are integral for back-office operations and process management) should fall next in line for security upgrades.
- Routine apps, because of their everyday usage, are generally patched in terms of latest security upgrades from the vendors. However, these need to be rechecked once you’re done with the more critical ones.
- You’ll always have a list of applications that are already past support from vendors, are going to be decommissioned, or barely used by a handful of end users (and can replaced by existing applications within the enterprise). Generally, it’s sensible not to spend on radical security upgrades of these apps; instead, finalize their sunset plans.
At this point, you’ll have clear visibility of the threat surface area of your enterprise applications.
Findings published in Trustwave Global Security Report highlighted that the average application could have up to 20 vulnerabilities. More importantly, you need to know that your first priority is to take care of the vulnerabilities that could actually result in a security breach.
Consider using a risk assessment model, such as Open Web Application Security Project (OWASP) Risk Rating Methodology (OWASP) to understand threat agents, security flaws, attack vectors, business impacts, and technical impacts. You could also consider implementing a custom risk rating method.
The scoring of your enterprise’s vital applications will help you create a wholesome blueprint of which application needs which kind of security upgrades. This effort will help you a lot when you consolidate requirements and negotiate on contracts with security technology vendors.
If you’re going to leverage in-house IT for the application security ramp-up, have your developers focus on the critical vulnerabilities (the ones most often exploited by cybercriminals, the ones with maximum business risks, and the ones that contribute the most to enterprise IT’s threat exposure).
Two-pronged security approach
Here’s a stat to help you gain perspective on the challenges of fixing security flaws. The Web Application Security Statistics report showcased the average timelines of resolving security flaws in applications. On average, it takes 146 days to fix a critical security vulnerability. That’s almost five months; that’s way too much exposure considering the rapidity with which cyberattacks are proliferating. So you need to work on a two-pronged approach:
- First, initiate work on the core problem solution.
- Second, implement additional layers of security for temporary isolation of the application, resulting in protection from potential cyberattacks.
For instance, a web application firewall (WAF) could help you safeguard applications as your developers work on fixing the security flaw. Particularly for businesses with dozens of applications and no bandwidth or expertise to manage the security vulnerabilities of all, WAF provides a quick fix that gives the company time to sort things out.
Another near-term workaround to secure vulnerable apps is to enforce restrictions such as automatic session timeouts and limited user accounts with restricted database access.
Automated penetration testing
Automated application testing has been in place for some years. However, most application security risks are of a logical nature, and can’t be detected via automated test script runs. Penetration testing focuses on these logical risks by exposing integration points of the application to a blitzkrieg of test scenarios, just as a hacker would operate.
By combining the power of automated and penetration testing, applications can be subjected a reliable set of tests that can reveal critical vulnerabilities. With time, this model can completely pay off the effort put into its implementation, as it can manage security readiness for a plethora of applications in your enterprise.
Plug the gaps
Enterprise application security is, if not the biggest, one of the most prominent concerns of IT leaders just like Negan is a prominent concern of Rick in the amazing show “The Walking Dead,” but let’s not digress on this anymore. Moreover, the methods, practices, and guidelines discussed above will help you organize, prioritize, and methodically plug security gaps in enterprise applications.
Photo credit: Shutterstock