Kenna Security is now part of Cisco

|Learn more

Application Vulnerability Management Requires a Risk-based Approach

Dec 12, 2018
Jeff Aboud

Share with Your Network

Application security teams face unique and often daunting challenges. It’s their job to protect the organization from application vulnerabilities that can lead to data breaches. Yet, with all of this accountability they have very little of the responsibility for remediating application vulnerabilities which translates into constantly being on the proverbial hot seat. They’re quickly blamed when critical vulnerabilities aren’t fixed in a timely manner, but there’s honestly little they can actually do about it. The development teams are the only ones who can remediate those vulnerabilities, and that’s not their primary job. Usually, dev’s primary job is to get new features out quickly, not to perform security fixes.

Using Prioritization to Get Off the Hot Seat

So how can AppSec teams make their lives easier and get off the hot seat? Simple. By making dev’s lives easier. One way to do that is to prioritize which vulnerabilities should be remediated first and which to push to later (or never). But to do this, they need to understand which vulnerabilities pose the highest risk, and that requires comprehensive and truly defensible data that enables them to determine a specific risk metric for each one.

There are a multitude of application security tools available, but each one only provides a small portion of the data needed to make a judgement call; unless the data from these various tools can be correlated and de-duplicated, and then merged with information about application context and current exploit data, all of this data is simply that—data. And sifting through mounds of flat data without any additional color to help teams make sense of what it all means can be a time-consuming and relatively fruitless effort.

The Importance of Context

AppSec can’t have their development teams remediate everything—that’s not only impractical, but also unnecessary since only a relatively small portion of application vulnerabilities pose any real risk. So, to gain the upper hand against cyberattacks, application security teams need context to understand what is truly going on in their environment. By weaving together all of the security data from their various scanners, testing tools, and other sources to develop a specific risk metric for each vulnerability, they can develop a specific risk score for every single vulnerability they have. And of course, once this is done, they can easily rank order those vulnerabilities based on those specific metrics. Automation has to play a key role in this process, so that AppSec teams can quickly understand, correlate, and disseminate the intelligence. Speed and efficiency are certainly important, and automation can perform in seconds what it would take a human being hours or even days to complete. But automation can also scale to well beyond what a team of human beings could ever do.

With the appropriate context, application security teams can more easily determine which of the organization’s thousands of vulnerabilities pose the most risk and therefore appropriately prioritize what should be remediated first. And because they’ll have a comprehensive view of their true application risk posture, they’ll be in a far better position to exert an appropriate level of influence to reduce it without putting undue strain on development teams.

To learn more about the specific challenges application security teams face and how to take a risk-based approach to application vulnerability management, download our white paper, Stop Playing Catch-Up on Application Risk.

 

Read the Latest Content

Threat Intelligence

18+ Threat Intel Feeds Power Modern Vulnerability Management

You need lots of threat intelligence feeds to cover all of the threat and vulnerability data categories in the world. Learn about the threat intel feeds...
READ MORE
Data Science

Ask Us About Our Data Science

In vulnerability management, data deluge is a recurring problem. Learn what data science is and how it can help your company.
READ MORE
Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management.
READ MORE
FacebookLinkedInTwitterYouTube

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.