Take a Risk-based Approach to Application Security

Jun 7, 2018
Jeff Aboud

Share with Your Network

If you’re an application security professional, chances are that you face some major uphill battles every day. First, you need to somehow influence your development team to fix the vulnerabilities you find; no easy task, considering that a development team’s primary responsibility is to get new features out the door – not work on security issues. And second, you have so much security coming in, it’s nearly impossible to determine what’s truly a critical vulnerability.

Think for just a moment about the various types of security data you have to continuously sift through before finally making a judgement call:

  • Results from all of your various vulnerability scanners
  • Static testing (SAST)
  • Dynamic testing (DAST)
  • Open source code scanners
  • Penetration testing data
  • Bug bounty programs


The sheer amount of security data coming from all of these sources can be pretty overwhelming! But more importantly, much of this data is duplicative, so you end up with way too much data. And since your development teams can only spend a small portion of their time on remediation, you need to quickly prioritize the relatively low number of high-risk vulnerabilities to make the best use of their limited time. And since the application team will likely have to go through the time and effort required to write their own patches, your accuracy is essential to ensure that they don’t waste cycles patching vulnerabilities that pose little to no risk.

The Kenna Application Risk Module leverages the Kenna Security Platform to process and normalize all of that application security data, apply application context to assess each application’s relative importance, and then supplement it with real-time exploit data. Finally, we correlate all of that data together and apply data science to determine your organization’s complete application risk posture. The end result is that you end up with a specific risk score for every vulnerability, so you can easily prioritize each one to ensure that your development teams are as effective as possible in reducing your organization’s risk posture.

And since the Kenna Security Platform is already well known for its ability to deliver risk-based prioritization of vulnerabilities on the network side, using the Application Risk Module to add the same capabilities at the application layer gives your organization true visibility and the ability to measure risk full stack!

Watch our latest video to learn more on how you can finally take control and proactively manage your application risk.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.