Application vulnerability assessments are a vital part of a security process for any organization deploying online applications. Vulnerability assessments identify critical threats, sensitive information leakage, and a wide array of other security issues. While the discovery of these vulnerabilities is the most immediate value returned from an assessment, there are several other commonly missed benefits from them. If performing multiple engagements, an even greater opportunity is provided for organizations to build better long term security practices. Below are several things to keep in mind after performing an assessment:
Build Fixes into the SDLC
As vulnerability assessments are conducted across multiple applications within an organization, a clear picture is often painted of areas in which need improvement. While vulnerabilities are often remediated with quick patches to insecure code, by putting slightly more effort into a long term solution an even larger benefit can be gained. This is a great opportunity to take the remediation and build it into the development process. Instead of creating many small code patches, build the patches into trusted frameworks which can be reused by many applications.
If issues of Cross-site Scripting (XSS) are a recurring problem, development teams should take the time to build proper input validation into request handling functions. This will ensure input is properly validated across the application, and that these controls are reused across the organization, rather than a few isolated areas.
A CISO looking at recurring XSS issues may wish to meet with lead developers and discuss long term solutions to input validation coding practices. Remember that each issue has a cost, both in terms of a security tester finding and reporting it, and the developers remediating the issue. Over multiple years, multiple applications, and multiple vulnerability assessments, the cost of issues can be compounded greatly.
Pay Attention to the Lows
Low Risk vulnerabilities are often not remediated if a significant cost associated with it. While threat prioritization is a necessity, Virtue Security strongly recommends Low Risk issues be remediated within 90 to 180 calendar days. While these issues often disclose only minimally sensitive information, it’s important to keep in mind this is still useful to an attacker. If an attacker were to discover every low risk item across an organization, chances are high that they will have an easier time carrying out other attacks against the organization.
Even small amounts of internal knowledge, can be used as strong leverage when carrying out social engineering attacks. An attacker can gain a lot of credibility if he or she is able to ask specific questions regarding internal systems or software. Additionally, some low issues have compounding risk; the existence of some low risk issues can increase the exploitability of higher risk issues.
Think More Than Compliance
To some, vulnerability assessments may be like a trip to the dentist; not everyone wants to go through an audit, but they exist to help. They may be conducted as part of a PCI, HIPAA, or regulatory audit, but it’s important that they ultimately exist to benefit the organization. Performing assessments with the only goal of maintaining compliance is not a sustainable practice. It’s also important to realize that compliance is only a short term goal, and only doing the minimum to meet these goals is a recipe for disaster.
Working with vendors to ensure the scope of assessments is properly defined is also critical for a thorough assessment. Ensuring test dates are fair and reasonable and start on time will only benefit the organization. Attempting to squeeze assessments into shortened time frames should be avoided if possible.
Compare Vendors
Large organizations should use multiple vendors; keeping a competitive atmosphere can deter a vendor from complacency and ensure engagements are performed with diligence. While some organizations perform direct simultaneous comparative tests between two vendors, this can result in assessments double in price. Organizations wishing to save money but still validate another vendor’s findings may wish to alternate applications between vendors on an annual or biannual basis. Over time, a weak security vendor may become apparent. Do consider that ethical hacking changes quickly, and additional issues should be expected to be discovered after one year’s time.
Conclusion
Application vulnerability assessments are one of the most cost effective ways to identify weaknesses in application business logic. By coordinating long term plans with development teams, even greater value can be obtained. To keep a steady value, work with vendors to make sure testing scope reflects real world attack scenarios and ensure testers have reasonable timeframes to complete testing. Thinking in terms of long term solutions often has far greater rewards than simply maintaining short term compliance. Avoiding a breach is the ultimate goal of just about everything we do, if we keep this in mind and properly manage short term goals, we will all be better off.
For more information on how you can get the most out of your next application vulnerability assessment, contact Virtue Security founder Elliott Frantz at elliott.frantz@virtuesecurity.com