Organisations spend heavily mitigating network level threats, but over 75% of attacks take place at the application layer (Security at the application level, Gartner). This shift of focus by the hacking community has yielded big results and organisations continue to under-spend on protecting themselves from web application security attacks.
The risks to web applications are well known, see the OWASP Top Ten for a list of the key risks, and a good web application security assessment will give you a good picture of your level of vulnerability and what action to take.
However, web application security is difficult, not only because many organisations don't know how many web applications they are running and who owns them, but also because developers are generally not confident in their security skills and the time pressure on launching applications is often fierce.
The jump in attacks and the increase in compliance guidance mean that security teams are starting to focus more and more on web applications, but a structured approach is a must. A strong Application Security Framework will provide a documented risk based process for prioritising spending on application security controls. These priorities will then drive and justify reduction of expenditures of time and money to mitigate these threats.
The starting point is an application assessment to identify applications, understand the application & business processes and to carry out threat modelling. This will map out your application landscape and give you a feel for the level of risk that exists.
The next step is have a structured process for application categorisation to separate the high risk, high impact applications from the low risk, low impact. Here simplicity is vital and a simple rating like high, medium and low will work well.
Once this is completed deciding the right security controls is the focus. Each organisation will be different and it is important that these are risk based. A common structure for applying controls is as follows
High risk
- Static and binary analysis
- Source code reviews
- Penetration testing
- Web application firewalls
- Automated and manual scanning
- Application logging and monitoring
Medium risk
- Penetration testing
- Automated and manual scanning
- Application logging and monitoring
Low risk
- Automated and manual scanning
- Application logging and monitoring
Taking a structured approach to web application security ensures that you understand the risks across the application landscape and implement controls based on risk. This approach reduces cost via consolidation, economies of scale and reduction in cost for software licensing. It also provides a standardized delivery model that can provide you with flexibility and scalability.
Whatever approach you take your web applications are vulnerable, and now is the time to take action.