OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

How-to guides

App security prioritization: the top inputs

App security requires dedicated attention, particularly when it comes to the prioritization of threats and vulnerabilities. Here's what you need to know.

Tal Morgenstern | May 17, 2022

With the demand for high-performing, user-friendly applications at an all-time high, developers are now using different programming languages to gain a competitive edge. The downside, however, is that this can lead to app security issues, which are often overlooked.

But security is also a key factor when it comes to your application’s success. A securely developed app can help keep attackers at bay, ensure compliance requirements are being met, and build trust with customers and other third parties connected to the business. Developing secure applications, however, comes with multiple challenges.

As market demands increase, developers are more pressured than ever to speed up the development process. But in many cases, they also skimp on security testing, leading to security issues that may go undetected in the earlier stages of the software development life cycle (SDLC).

In addition, the programmers working on these apps understand development but may not have the same level of understanding about security and secure coding practices. Some developers see security as a hindrance to the development process that delays iterations.

At the same time, the organization may be reluctant to adopt a DevSecOps approach that would help to implement app security best practices. Even if the company lacks experts knowledgeable in both security and development, security tools can help uncover security issues in very early stages and provide an overall picture of security. 

While not every organization is willing to allocate the budget and resources for security application testing toolings, more and more companies today understand the value of investing in app security.

How to improve app security

Application security in particular is often focused on the developers and the teams managing the app after its release. But security should not be viewed as the responsibility of the developers or IT teams alone. Rather, every employee should adopt a security mindset as part of a company-wide culture.

Following these guidelines can vastly improve the security of your application:

  • Provide secure coding training for developers
  • Prioritize assets
  • Enable secure SDLC in the development cycles
  • Implement access management policies
  • Develop patching policies and procedures
  • Have a structured incident-handling process
  • Use application security scanners and pentesting
  • Be aware of the vulnerabilities in the third-party components
  • Use automation whenever possible to minimize errors
  • Secure all inputs, data transmissions, and storage

App security best practices

Whether a web, mobile, or cloud-based application, the following steps are key to developing more secure apps.

Authentication

Whether it's an end user authenticating to a system, an automated account doing so, or any other entity, the authentication method must be robust and reliable. This can be achieved via biometrics, PIN codes, passwords, or multi-factor authentication (MFA), for example. The verification mechanisms being used in the application must be strong enough to prevent verification from being bypassed.

Authorization

Not every user or system in the environment requires the same level of access. Following the principle of least privilege (PoLP) and granting only the access that is required to perform a given task—for end users as well—is therefore a must. Implementing role-based access (RBAC) policies for your application allows you to define boundaries and which tasks users can perform as opposed to having a single common role for all users.

For example, an operations team member should not have the access needed to approve a code release since this is outside the realm of their responsibility. Granting permissions to approve code releases to those who lack the required knowledge could also have serious consequences, including downtime and breaches of confidentiality.

Encryption

Assets are prioritized based on the information they hold, transmit, and capture. Data should also be easily accessible and secure to avoid loss of integrity. Encrypting data of high importance is therefore essential to protecting your systems from attackers.

Logs

No matter how you apply security practices and mechanisms, incidents can still happen. Maintaining essential logs, including at the system and network levels, will help to identify security issues and—in case of an attack—enable you to investigate the root causes and to harden your application in order to prevent future incidents.

Awareness, continuous monitoring, and alerting

Releasing a secure application doesn’t guarantee ongoing security. Applications are constantly evolving and going through rapid development cycles. Teams must therefore be well informed about vulnerabilities in the libraries or third-party components being used so that they are properly handled and to verify they do not contain direct threats to your systems. Subscribing to threat feeds and setting rules to trigger alerts on misconfigurations (e.g., code or system) or suspicious activities (e.g., network or WAF changes) are therefore essential to the security of your application.

Vulnerability-based prioritization methods for app security

When weaknesses exist in your application, system, or any asset, this broadens the attack surface, which could lead to cyber attacks. Poor coding practices, improper validation, or use of vulnerable components in your application can all lead to application-level vulnerabilities that could be exploited. It’s therefore important to pay attention to daily security feeds and vulnerability exploits in order to maintain security.

Some systems use defense-in-depth mechanisms, and the impact or possibility of an exploit from the vulnerability may be low. For this reason, organizations need to focus not only on securing the application in the development phase—they also need a well-aligned, streamlined vulnerability management program that considers the risk to the business. 

When a vulnerability is identified in your application, teams need to know which to fix first and within what time frame. Service level agreements (SLAs) or streamlined vulnerability management policies and procedure guidelines should never be optional.

Security scanning tools and vulnerability databases prioritize vulnerabilities using different methods. 

Let’s take a look at both organizational-based and standard inputs for prioritizing vulnerabilities:

  • Severity (CVSS): Vulnerabilities with higher CVSS scores require immediate attention if there are publicly available exploits. But a higher CVSS score vulnerability might pose a low risk to the organization when factoring in unique business considerations.
  • Application type: This needs to be defined by the company itself based on how valuable it may be. Applications that store, transmit, or process financial data or health information must meet compliance requirements. These types of apps therefore should be prioritized.
  • Asset criticality: This should be determined by the organization. High-value asset vulnerabilities should be prioritized in the remediation process.
  • Popularity: Attackers are more likely to exploit popular vulnerabilities since there is more information at their disposal including about system weaknesses. When such a vulnerability is detected, therefore, it should get more attention.
  • Disclosure date: With zero-day attacks, teams may need some time to follow up and plan the remediation. But critical vulnerabilities disclosed months ago should never be left unattended.
  • Remediation time: This depends on the size of the organization and may differ from one organization to another. Nonetheless, remediation times should be reasonable from a security perspective and not calculated based on how well staffed your security teams are.

When prioritizing vulnerabilities, it's also important to consider asset exposure, business impact, the business domain, publicly available Metasploits, and threat intelligence for a broader understanding of business-specific risk. In some cases, defense-in-depth mechanisms and other security measures minimize the possibility of exploiting a vulnerability. Moreover, not every application captures, holds, or transmits critical data. This means they may be lower priority than applications with the same findings that contain critical information and could therefore have a greater impact on the business.

Conclusion

Maintaining an agile environment and building secure applications often brings unique challenges. The increasing number of development cycles means developers may overlook security, skip steps, or perform security checks simply to check a box while failing to focus on overall cyber hygiene. But achieving risk-based application security is possible. Having an application security management program in place helps not only by providing a security score for your application but enables continuous security.

The Vulcan Cyber® risk management platform shows you the threats that matter to your business application environments so you can make informed decisions and own your risk. Request a demo.