RSA 2013 – Cooking Tips For Crafting a Super-Powered Risk Assessment Program
Companies now more than ever know that it is not enough to just be compliant; vulnerabilities in applications can allow attackers to access data even if their network is secure. This means that managing business risk requires an approach that leverages the strengths of both assessment types: network assessments bring an “outside in” and infrastructure perspective to risk management, while application assessments bring an “inside out” and business criticality perspective to risk management.
By combining these assessments, users get a super-powered risk assessment program; they are able to view not only the vulnerabilities present on the networked server, but the vulnerabilities introduced by the applications residing on that server.
Add this Infographic to Your Website for FREE!
Infographic by Veracode Application Security
Like our infographics? Check out our Software of Unknown Pedigree infographic.
Traditional risk assessment techniques alone are often soiled and not effective enough to secure your enterprise. Network and application assessments respectively contribute to the overall security architecture of an organization, but by combining the two enterprises can benefit exponentially -gaining increased visibility and responding more rapidly to vulnerabilities
Setting the Table – What do these companies Exxon Mobile, Heartland Payment Systems, LinkedIn, BP, Sony, have in common?
Big Breaches AND application vulnerability was a critical weakness in all three: a SQL Injection vulnerability exposed to the internet was the vector to penetrate the organizations.
- 3 Different organizations
- 3 Different attacker goals
- 1 Vulnerability Type
Why aren’t traditional security measures working?
- Firewalls – Firewalls don’t block data moving to and from trusted computers. You trust your web servers. You trust your employee’s desktops. This Won’t stop spear phishing or web app attacks
- Encryption – You Encrypt data so it can’t be snooped over network or read from a stolen hard drive. Attackers access encrypted data through application posing as legitimate users
- Antivirus – Can only stop known malware Attackers make brand new custom malware to attack you
Get The Best Ingredients
- Application Security – Application security helps identify, fix, and prevent security vulnerabilities in any kind of software application -no matter the function, language, or platform
- SAST – Static analysis, also commonly called “white-box” testing, looks at applications in a non-runtime environment. This method of security testing has distinct advantages in that it can evaluate both web and non-web applications and through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone
- DAST – Dynamic analysis security testing (DAST) or “black-box testing” empowers companies to identify and remediate security issues in their running web application before hackers can exploit them. By dynamically testing web applications at run-time, a user inspects applications the same way a hacker would attack them -providing accurate and actionable vulnerability detection
- Vulnerability Assessment – Vulnerability assessments assess risk from outside and in. Risk is all about your perspective. Risk = Threat x Vulnerability x Cost
The Right Mix Makes The Sweetest Pie
- Application Testing
- Network vulnerability scanner now knows
- Where all the applications are
- If there are any host vulnerabilities
- The criticality of assets an application has access to
By Selecting the Best Ingredients… You Get the Best Results
- The right combination of network vulnerability scanning and application security testing in more accurate security testing results in more accurate risk assessments, improved vulnerability class coverage and increased environmental context
- See where application flaws are located in assets deployed in their computing networks
- Determine if flaws introduced during the Software Development Life Cycle of an application have made it into a production network will greatly improve the efficacy of your organizations security risk reduction efforts