Continuous Testing of Product Web Applications

W H I T E P A P E R CE NZ IC Continuous Testing of Production Web E Applications N TE Over 90% of web applications go untested against hackers. Read R how you can continuously test your web production environments P (without risk) via virtualization to secure all your web RI applications. S E AP P L I C A T I O N S E C U R I T Proprietary Notice Y The information in this document is the property of Cenzic, Inc. and cannot be reproduced or redistributed for commercial purposes, without prior written consent from Cenzic, Inc. © Copyright 2008 Cenzic, Incwww.Cenzic.com | (866) 4-CENZIC (423-6942)
Table of Contents Executive Summary ........................................................................................................ 3
Web Application Security Optimization (W.A.S.O.) ......................................................... 4
Continuous Assessment of Production Applications ....................................................... 5
Two Easy Ways to Perform Continuous Assessments.................................................... 6
About Cenzic................................................................................................................... 7
White Paper: Continuous Application Assessment | Copyright © 2008 Cenzic, Inc. 2 www.Cenzic.com | (866) 4-CENZIC (423-6942)
Executive Summary Web application security is a key top-of-mind concern for general managers, CISO's, CIO's and security staff for businesses ranging from Fortune 100 multinationals to educational institutions. Widespread data breaches and intellectual property thefts have left few organizations untouched or unaware. Almost 70% of the vulnerabilities disclosed each month shows information security teams the importance of focusing on Web application security. Current methods of addressing the application security problem focus on improving the security process within the software development lifecycle. Testing early in the development cycle has great merit, but it leaves production applications' exposure unaddressed. Only a small percentage of Web applications are in the development or quality assurance stage at any point of time, leaving a vast majority of the applications in production exposed and vulnerable. With over 400 new application vulnerabilities every month, it is imperative that organizations test and re-test all their Web applications, and not just the ones in development and quality assurance stages, but live applications already performing business critical functions. Remarkably, these are the applications which are tested the least, if at all. Business managers and security leaders in Fortune 2000 corporations tell us that over 90% of their Web application portfolio already exists in production; largely untested from an application security perspective. This means that current application security testing methods are mitigating less than 10% of the actual threat facing these organizations. The threat to production applications present major risks including financial loss, lack of regulatory compliance, loss of credibility and customer trust, as well as system downtime and direct intellectual property theft; all critically impacting both the companies and consumers. A large number of untested applications also reside from legacy systems with Web-enabled front ends to internal systems. These often support mission critical processes from business operations to supporting infrastructure providing core database and data management services. These systems, like other public facing Internet applications, are also largely insecure and at risk of attack. Protecting these other Internet-facing production applications are critical priorities since many advanced application attacks can compromise users' browsers. Those internally compromised browsers can then perform surveillance of the internal application network as well as conduct further attacks against applications deep within a corporation. The question is what to do about the security of production Web applications fundamental to running the business. Cenzic recommends a process of continuous assessment for applications in development and production environments -- a process that can equally apply to Intranet and public facing applications alike. Continuous testing can... [download for more]