In her years working in the security space, Veracode's SVP of Product Marketing, and long time security professional, Sam King has often been asked if companies should secure all their applications, or only their most critical applications. We recently recorded a chalk talk with Sam, where she addresses this frequently asked customer question.
We also added in a transcript of the video below.
So I often get the question from customers – do I have to test all my applications or can I get away with just testing my most mission critical ones?
So here’s how I answer that – Why are you testing your applications to begin with? Ultimately it’s about protecting the data in your organization and applications are really the layer that sits around the data and transacts with it. So let’s imagine that this is the application layer that surrounds your data. But then you might have a website that your marketing department has created even for just a short time period, not even for the long term.
If you look at the attack trends that occurred in 2011, what you saw was attackers taking advantage of any externally facing web application. If you think about this web application here which is not a mission critical application because it’s not touching this critical data and if there is a SQL Injection vulnerability that exists in there, or if there is an XSS issue that exists in there – what we often saw happen in 2011 and even prior to that honestly, is that people took advantage of that particular vulnerability and use that to gain a foothold inside the network. Once they’re in they use a series of other attacks to get into the data.
So, is it important to test all of your applications? Well, it sort of is because all applications, particularly the externally facing ones, are your enterprise's new perimeter. That is the attack frontier and that provides an opportunity for an attacker to take advantage of these types of vulnerabilities to get inside of your network. Now, do you have to test all of your applications using the most comprehensive testing techniques from the get go? No. You can take a very pragmatic approach to developing your application security program. It all starts with discovery, if you don’t know that an application exists, you can’t test it. So you have to start by discovering your applications and then you can use a service such as Dynamic MP, standing for massive parallel, to get a very quick scan of all of your externally facing web applications. We did this for an organization where we tested 3,000 applications in eight days so you get a very quick understanding of all the vulnerabilities that exist in your external perimeter.
Now that you have that done you can start to advance your program a little but more and you could do what we call Dynamic DS, or deep scan. This is where you start authenticating these web applications and start getting deeper into the functionality of the application, or you could start testing internally facing applications as well. Once you have that under your belt, you can go to what we refer to as Static Analysis. I liken this to genetic testing – this is where we are looking at the entirety of the code base of that application so this (Dynamic MP) would be like getting a quick external temperature check, and this (Static Analysis) is like genetic testing. So you can perform differing and varying levels of inspection of your software to understand where the weaknesses are.
You don’t have to start here. You can start in a much simpler way and as your organization matures and develops all the processes around doing application security testing you can start to go down this path all the way to static analysis. That is how we would recommend that you test all of your applications very quickly and then progress down this path.