Research

Forrester: How to Develop a Comprehensive Application Vulnerability Management Program

To establish an effective application security program, organizations need to consider application-level vulnerability management an ongoing process, and focus on process improvement.

By Chenxi Wang, Ph.D., Forrester Research

June 10, 2008 — Cyber attackers have for years assailed network and system level vulnerabilities, fueling demand for products like firewalls and network vulnerability scanners. As these products mature and IT security teams learn to better handle network security, we are seeing a visible increase in attacks moving up the stack to target application-level vulnerabilities.

Forrester's recent security survey showed that 77 percent of enterprises and SMBs consider application security an important IT initiative, and 35 percent have already adopted or plan to adopt application security measures in the next 12 months.

To establish an effective application security program, organizations need to consider application-level vulnerability management an ongoing process, and focus on process improvement. The current crop of application security technologies helps, but does not provide a complete solution. Moreover, technology alone won't solve the problem.

So how can CSOs protect their organization's application assets? Strategically, they can look to build application vulnerability management on the foundation of risk management, supplement vulnerability management with an incident response plan, and look to asset and configuration management for complementary capabilities. Tactically, they should consider utilizing application firewalls for "right-now" protection, seeking security technologies for next generation applications, and, whenever possible, leveraging services to lower your total cost of ownership.

OPERATIONALIZING APPLICATION VULNERABILITY MANAGEMENT

Managing security vulnerabilities for production applications is a complex process that includes, at a high level, vulnerability discovery, analysis, remediation, and auditing.

More concretely speaking, the first step in developing an Application Vulnerability Managmenet (AVM) program is defining a set of policies that will govern the processes of AVM. You should define these policies within the context of your overall IT risk objectives. For example, if unauthorized disclosure of customer data is a critical risk, your policy should include: "My applications that handle customer data, in any way, shape, or form, should be secure against actions that can lead to breach of private consumer data."

Once you've established the policies, you can further define the other phases, discovery, analysis, and remediation, with concrete steps that are governed by the policies.

Vulnerability Discovery

Identifying vulnerabilities is an essential step towards risk mitigation. Sources of this discovery process include, but are not limited to, application vulnerability scanners, the software manufacturer, and third party penetration tests. The key here is to establish a systematic process for vulnerability discovery. This process should include:

  • Leveraging external sources. Subscribe to your vendors' vulnerability announcement lists, public vulnerability databases, and, if applicable, vulnerability sharing clubs. Filter the lists to look for relevant information.
  • Implementing a regular application scanning and penetration testing process. Periodically test the security health of your production applications. The best way to establish a regular scanning process is using on-demand services or tools that support auto-scheduling. Scan critical applications at least once a month - if not more frequently - and other applications quarterly.
  • Attain application asset management. Asset management should provide information like versioning, vulnerability tracking, configuration, patching, and asset values. You can use a standalone asset management system to achieve this function, but it will likely require custom integration with your vulnerability management solution.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Ponemon Study: How Much Does a Data Breach "Cost"?

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Data Protection: Challenges for the Traveling User

Envision Identity-Based Access Control for the Datacenter

IT Service Management: Metrics That Matter

Configuration Audit and Control for Virtualized Environments

The PCI Data Security Standard

Configuration Audit and Control for Virtualized Environments

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

Take our CSO role survey and receive a copy of the results

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

The Case for Business Software Assurance ~ Securing Your Applications

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Revolutionizing Endpoint Security with a Single Agent

Prepare for (ISC)2® Certification With Villanova - Online

Key strategies for C-level executives and security staff

Configuration Assessment: Choosing the Right Solution

ITCi White Paper: Challenges and Opportunities of PCI

Effective Security with a Continuous Approach to ISO 27001 Compliance

Rolling the dice with your security? Take the Self-Assessment Test now

Digital Identity Protection and Data Security Get Personal

Solving Online Credit Fraud Using Device Reputation

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage