|
Executive Summary
Web application security is a key top-of-mind concern for general managers, CISO’s, CIO’s and security staff for businesses ranging from Fortune 100 multinationals to educational institutions. Widespread data breaches and intellectual property thefts have left few organizations untouched or unaware. Almost 70% of the vulnerabilities disclosed each month shows information security teams the importance of focusing on Web application security.
Current methods of addressing the application security problem focus on improving the security process within the software development lifecycle. Testing early in the development cycle has great merit, but it leaves production applications’ exposure unaddressed. Only a small percentage of Web applications are in the development or quality assurance stage at any point of time, leaving a vast majority of the applications in production exposed and vulnerable. With over 400 new application vulnerabilities every month, it is imperative that organizations test and re-test all their Web applications, and not just the ones in development and quality assurance stages, but live applications already performing business critical functions. Remarkably, these are the applications which are tested the least, if at all.
Business managers and security leaders in Fortune 2000 corporations tell us that over 90% of their Web application portfolio already exists in production; largely untested from an application security perspective. This means that current application security testing methods are mitigating less than 10% of the actual threat facing these organizations. The threat to production applications present major risks including financial loss, lack of regulatory compliance, loss of credibility and customer trust, as well as system downtime and direct intellectual property theft; all critically impacting both the companies and consumers.
A large number of untested applications also reside from legacy systems with Web-enabled front ends to internal systems. These often support mission critical processes from business operations to supporting infrastructure providing core database and data management services. These systems, like other public facing Internet applications, are also largely insecure and at risk of attack. Protecting these other Internet-facing production applications are critical priorities since many advanced application attacks can compromise users’ browsers. Those internally compromised browsers can then perform surveillance of the internal application network as well as conduct further attacks against applications deep within a corporation. The question is what to do about the security of production Web applications fundamental to running the business.
Cenzic recommends a process of continuous assessment for applications in development and production environments -- a process that can equally apply to Intranet and public facing applications alike. Continuous testing can now be easily and safely done in a virtualized environment; no longer putting production web applications at risk.
Companies can now easily and quickly, add vulnerability testing to their list of activities for all of their Web applications including production applications. Using a continuous testing methodology across a company’s Web application portfolio will significantly enhance the security of all Web applications.
|
