The 5 Stages of Security Risk in Web Applications

Why a cradle-to-grave approach to
managing vulnerabilities is the best defense
against today’s massive security breaches
THE 5 STAGES
OF APPLICATION
SECURITY RISKS

Hacks, attacks and full-blown assaults on
companies worldwide have become regular
events in recent years. What is one of the
most common source of breaches? Web
applications. The Verizon 2015 Data Breach
Investigations Report found that web
applications account for as much as
35 percent of breaches in some industries.1
While there's no way to be completely
impervious to all of today's threats, a key
component of a strong application security
program involves spotting potential
problems and diffusing them before a
breach takes place.
The 5 Stages of Application Security Risks | 01

It's certainly no news flash that cybercrooks are an opportunistic
bunch. According to the Verizon report, 98 percent of web application
attacks aim at easy marks such as coding errors and unprotected
applications.2
What's more, these intrusions and breaches can take
place at any stage of the software lifecycle, which makes it essential to
monitor conditions throughout all five lifecycle stages:
Design Development
Upgrade and
Patches
Deployment
Maintenance
Veracode has found that
a typical organization has, on
average, 30 percent more websites
and web pages than it officially
recognizes. Making matters worse,
about 80 percent of applications written
in web scripting languages are vulnerable
to at least one threat risk at the time of
an initial assessment.3
TWEET THIS

Use of Stolen
Credentials
51%
Use of Backdoor
or C2
41%
SQL
Injection
19%
Remote File
Inclusion (RFI)
8%
Abuse of
Functionality
8%
WHAT ARE THE MOST COMMON ATTACK METHODS?4
SURVEYING THE DANGERS
You should launch your application security initiative before any code is ever written and continue
your efforts through the entire software lifecycle. There are risks at each stage.

The design stage is critical because it
establishes an organization’s overall
web application security framework.
The biggest risks at this stage include:
According to Veracode
initial assessment scan data,
vulnerabilities in various
scripting languages range from
about 21 percent for Java to 64
percent for Microsoft Classic.5
Design
Poor design of security technologies such as
password management, failure to incorporate
multifactor authentication, or other authentication
and authorization technologies
Practices and procedures that allow inadvertent
or malicious abuse of resources, such as poor
or no threat modeling, as well as a failure to
anticipate and/or defend against possible paths
of attack
Software and code that fails to address specific
and known vulnerabilities
Applications and software that are used
differently than originally intended and, therefore,
are in a new risk landscape, such as applications
that are newly deployed in the cloud
Practices and procedures that allow inadvertent
or malicious abuse of resources
TWEET THIS

During the development stage, it's
vital to focus on several issues that
directly impact security. Among the
biggest risks:
A lack of standards and standard libraries
for software coding, including data format
validation and database validation
A lack of governance structure and standards
that encompasses API libraries, coding libraries
and open-source scripting
Too little emphasis on testing software for
application security issues, or managing the
process at too late of a stage or in an ad hoc
way. This is a major concern in Agile and
DevOps environments.
No mechanism for staying current about new
threats and recently discovered bugs in the code
base — as well as a systematic and effective way
to find all instances of a vulnerability
A lack of developer knowledge about security
that leads to errors and programming gaps
Development

Little or no focus on testing of software to
determine whether it's vulnerable
Avoiding or underutilizing testing in a race to
deploy applications and software rapidly
No use of scanning tools that identify
vulnerabilities before hackers can exploit
them. The average organization has about
30 percent more web applications and pages
than it knows about. In some cases, "Shadow
IT" — or unauthorized IT systems — represents
a risk as well.
A lack of consideration for protection security
tools, such as a web application firewall or
runtime application self-protection (RASP)
As an organization rolls out a web
application, there's a focus on ramping
up new or improved functionality. But
too often, during this phase, security
takes a back seat. Here's how an
organization can get hurt:
Deployment

This phase is paramount because
it represents an opportunity for
developers and security teams to
reassess and improve the level of
application security. Here are some
of the pain points:
An organization may overlook rescanning and
reassessing web applications after updates. As a
result, they miss emerging vulnerabilities and fail
to fix existing risks.
Development teams and others don't adequately
update information about components and
software versions — thus leading to incomplete
information and larger threat exposure.
Upgrade and Patches
Do you know where the vulnerabilities in your
organization’s software come from? Our informative
guide, How Do Vulnerabilities Get Into Software?, reveals
the four main sources, so you’re better equipped to
create an application security strategy that will protect
your business and reduce your risk.
LEARN MORE

Viewing web application security as static and
failing to reassess periodically — particularly
when major hardware, operating system or
application changes take place. Risk levels may
increase or decrease as IT changes take place.
Overlooking metrics that provide concrete
information about risks and help convince
senior management to budget for specific
cybersecurity tools and solutions
Today, business and IT
environment change — and
on a daily basis.
As organizations migrate
to clouds, harness the
Internet of Things and
advance web and mobile
applications, new risks
materialize. A few of the
common risks at this stage:
Maintenance
TWEET THIS

Embracing a More Secure Model
A holistic and comprehensive framework — and one that addresses
potential risks and threats — goes a long way toward building a
better enterprise cybersecurity strategy.
WANT TO LEARN MORE ABOUT APPLICATION SECURITY?
Get all the latest news, tips and articles delivered right to
your inbox by subscribing to our blog.
Subscribe Now

Veracode is a leader in securing web, mobile and third-party applications for the world’s largest
global enterprises. By enabling organizations to rapidly identify and remediate application-layer
threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations
to market — without compromising security.
Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based
approach provide enterprises with a simpler and more scalable way to reduce application-layer risk
across their global software infrastructures.
Veracode serves hundreds of customers across a wide range of industries, including nearly one-third
of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100
Most Valuable Brands. Learn more at www.veracode.com, on the Veracode blog and on Twitter.
ABOUT VERACODE
1 Verizon 2015 Data Breach Investigations Report, Verizon, April 2015.
2 Ibid.
3 “Four Out of Five Applications Written in Web Scripting Languages Fail OWASP Top 10 Upon First Assessment,” Veracode, December 3, 2015.
4 Verizon 2015 Data Breach Investigations Report, Verizon, April 2015.
5 State of Software Security: Focus on Application Development, Supplement to Volume 6, Veracode, Fall 2015.

The 5 Stages of Security Risk in Web Applications

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Empfohlen

Empfohlen (20)

The 5 Stages of Security Risk in Web Applications