Kenna Security is now part of Cisco

|Learn more

Application Risk Management: Navigating the Storm

Apr 9, 2018
Jeff Aboud

Share with Your Network

Did you know that enterprises have anywhere from a few hundred to several thousand applications running on thousands of assets across their networks? Do the math on those numbers, and you’re talking about a ton of application vulnerabilities inside your network! And this poses a significant threat. According to the 2017 Verizon DBIR, nearly 30 percent of all successful breaches utilize applications as the vector.

There are two major reasons why are there so many application vulnerabilities. First, if you’re a software developer, security isn’t likely your primary concern; instead, you need to focus on getting features out quickly. Second, the threat landscape is continuously evolving, with new vulnerabilities discovered every day, making it impossible to keep up with constant patch cycles.

Couple all of this with the growing cybersecurity skills gap, and you have yourself a “perfect storm” for bad actors. According to ESG’s 2018 IT spending intentions survey, 51 percent of organizations have a problematic shortage in IT cybersecurity skills that are required to deal with these realities. Further exacerbating the problem, the sheer volume of application security data is overwhelming, limiting an application security analyst’s ability to quickly identify, prioritize, and mitigate vulnerabilities. Even if the team is large, they simply can’t scale to test more than a small fraction of them. And the effort required to manage and measure the risk introduced by application layer vulnerabilities continues to increase year over year.     

Application security teams have their hands full just gathering and analyzing the results from all of their various scanners, and while they know there is risk they simply don’t have the time, expertise, or context to find and remediate the relatively small percentage of application vulnerabilities that expose them to the most risk. As a result, they can’t prioritize what to fix first, so all too often they end up fixing the wrong vulnerabilities while dangerous applications continue to run. Or worse, they go into reactive mode and do nothing until an application is actually compromised.

Today, Kenna Security announced a solution to this critical problem that will help enterprises prioritize the application vulnerabilities that are most likely to lead to data breaches and other malicious attacks. The Kenna Application Risk Module is a scalable, cloud-based solution that enables organizations of any size to prioritize application vulnerabilities by risk. The module processes and normalizes all application security data, including static and dynamic scanners , penetration test results, bug bounty data, and open source scanners to help compute the relative risk score for each vulnerability, and then correlates that data with near real-time telemetry from existing Web Application Firewall (WAF) deployments to determine which vulnerabilities are being attacked.

This context empowers application security staff, DevOps, and developers to continuously, effectively, and proactively remediate the high-risk application vulnerabilities that are most important to them.

The Kenna Application Risk Module extends the capabilities of the Kenna Security Platform by applying the same data science to vulnerabilities at the application layer. By discovering and prioritizing application vulnerabilities and communicating the results to all application stakeholders, the Kenna Application Risk Module focuses the organization’s limited development and IT resources to reduce the most risk.

For more information, see the press release or visit the Application Risk Module product page.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.