Forrester: How to Develop a Comprehensive Application Vulnerability Management Program

To establish an effective application security program, organizations need to consider application-level vulnerability management an ongoing process, and focus on process improvement.

Cyber attackers have for years assailed network and system level vulnerabilities, fueling demand for products like firewalls and network vulnerability scanners. As these products mature and IT security teams learn to better handle network security, we are seeing a visible increase in attacks moving up the stack to target application-level vulnerabilities.

Forrester's recent security survey showed that 77 percent of enterprises and SMBs consider application security an important IT initiative, and 35 percent have already adopted or plan to adopt application security measures in the next 12 months.

To establish an effective application security program, organizations need to consider application-level vulnerability management an ongoing process, and focus on process improvement. The current crop of application security technologies helps, but does not provide a complete solution. Moreover, technology alone won't solve the problem.

So how can CSOs protect their organization's application assets? Strategically, they can look to build application vulnerability management on the foundation of risk management, supplement vulnerability management with an incident response plan, and look to asset and configuration management for complementary capabilities. Tactically, they should consider utilizing application firewalls for "right-now" protection, seeking security technologies for next generation applications, and, whenever possible, leveraging services to lower your total cost of ownership.


Managing security vulnerabilities for production applications is a complex process that includes, at a high level, vulnerability discovery, analysis, remediation, and auditing.

More concretely speaking, the first step in developing an Application Vulnerability Managmenet (AVM) program is defining a set of policies that will govern the processes of AVM. You should define these policies within the context of your overall IT risk objectives. For example, if unauthorized disclosure of customer data is a critical risk, your policy should include: "My applications that handle customer data, in any way, shape, or form, should be secure against actions that can lead to breach of private consumer data."

Once you've established the policies, you can further define the other phases, discovery, analysis, and remediation, with concrete steps that are governed by the policies.

Vulnerability Discovery

Identifying vulnerabilities is an essential step towards risk mitigation. Sources of this discovery process include, but are not limited to, application vulnerability scanners, the software manufacturer, and third party penetration tests. The key here is to establish a systematic process for vulnerability discovery. This process should include:

  • Leveraging external sources. Subscribe to your vendors' vulnerability announcement lists, public vulnerability databases, and, if applicable, vulnerability sharing clubs. Filter the lists to look for relevant information.
  • Implementing a regular application scanning and penetration testing process. Periodically test the security health of your production applications. The best way to establish a regular scanning process is using on-demand services or tools that support auto-scheduling. Scan critical applications at least once a month - if not more frequently - and other applications quarterly.
  • Attain application asset management. Asset management should provide information like versioning, vulnerability tracking, configuration, patching, and asset values. You can use a standalone asset management system to achieve this function, but it will likely require custom integration with your vulnerability management solution.

Your policies pertaining to vulnerability discovery should state how often scanning is to be performed, for what assets, and how extensively.

Vulnerability Analysis

Risk assessment is a crucial step in vulnerability analysis. This step helps to answer questions like which vulnerabilities have critical business impact and how you should prioritize your remediation tasks. More specifically, the analysis stage should include:

  • Root cause identification. Viewing vulnerabilities in aggregation and in the appropriate operational context enables you to more accurately isolate root causes and eliminate false positives.
  • Risk prioritization. Often, an application scanning produces a list of vulnerabilities with associated CVSes to indicate their criticality. A single CVS score, however, carries a limited amount of information. You must augment that with your own risk assessment to prioritize vulnerabilities, and determine the most effective mitigation measures.


Determining the root causes of vulnerabilities should immediately kick off a remediation process. The actual remediation steps will vary depending on the nature of the cause and your development processes. But you must establish a standard process that governs vulnerability remediation.

  • Initiate a trouble resolution process. Once you determine the root cause of a vulnerability, you should issue a trouble ticket to track and monitor the progress of remediation.
  • Go to the vendor for available cures. If a vendor-supplied patch is available, patching is the easiest way to mitigate your risks. If no patch is available, you might elect to report back to your vendor and request a patch.
  • Instigate an in-house fix. This includes implementing workarounds or code-level fixes. Potential workarounds include installing specific application firewall rules, adding additional access controls, or application migration.
  • Manage the remediation process. Use an enterprise workflow system to automate the delegation of (prioritized) mitigation tasks.

Changes due to remediation in your operational environment can lead to new vulnerabilities or make old vulnerabilities regress. It is therefore imperative that you continue to perform vulnerability discovery.


The audit function should be carried out by a team independent of the personnel responsible for vulnerability management. Policy-setting management should determine the frequency of audits based on the risk of your business functions. The auditing process should include log analysis, controls assessment and incident post-mortem.

The audit reports should assess whether the vulnerability management processes and procedures are effective and, if they are not, describe deficiencies as well as suggested corrective actions.

Auxiliary Procedures

A number of additional procedures that have significant impact on operational security should be treated as part of your application security program. These procedures include developing an application security awareness and training program and documenting your vulnerability management history.

Take A Leadership Role in Application Security

Application vulnerability management is a complex subject. Effective approaches require the collaboration of security personnel, application owners, and the risk management team. By instituting a process now, CSOs can take a leadership role in ensuring their organizations applications — and the information assets contained in them — are protected before attackers find and exploit application vulnerabilities. ##

Chenxi Wang is a principal analyst at Forrester Research, where she serves security and risk management professionals. For free related research from Forrester, please visit (free site registration required).

Copyright © 2008 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)