Skip to main content
September 9, 2014

How to Develop an Enterprise-Wide Security Vulnerability Assessment Solution

Enterprises have to consider a security vulnerability assessment to protect their applications and systems.

It's becoming evident that modern enterprise executives understand the importance of application security (AppSec). Despite this, however, only a very small percentage of applications undergo a true security vulnerability assessment, leaving the majority wide open to attack. Enterprise executives who understand the importance of AppSec must learn how to secure both new and existing apps, along with develop a solution that makes it simple to keep them secure going forward — even when scaling to test hundreds to thousands of apps per month.

The Gap in Enterprise-Wide Application Security

A joint study with CSO and IDG found that executives are more focused than ever on ensuring their applications are secure. The study surveyed US executives and determined that 52 percent of enterprises have mandated an enterprise-wide application security program, which marks a significant improvement from similar surveys in previous years.

This shift in executive thinking is likely due to both the visibility that application security issues have received in the past year and the fact that even after these executives have shored up the access points and physical infrastructure, hackers and thieves are able to gain access. Applications don't have to be weak points in an enterprise's network, but if they are never tested for obvious vulnerabilities, they can act as open doors.

Despite these facts, and despite the renewed attention that AppSec is getting in the C-suite, only 36 percent of enterprise-developed applications go through a security vulnerability assessment to determine if security holes exist, and less than 10 percent of enterprises are ensuring that all critical apps are tested during production. With almost two-thirds of applications currently untested, and the ease of development putting new applications into play every day, there's little wonder why one business after another suffers data thefts or system attacks.

The good news is that businesses appear ready to address these problems: The survey found that 70 percent of US businesses expect to increase their spending on security over the next year, a number that jumps to 80 percent when only large enterprises are considered.

Delivering Necessary Application Security

Given how few internally developed applications have been properly tested, executives may fear that true AppSec on thousands of existing apps is unattainable. But ensuring enterprise-wide application security isn't impossible, even for large enterprises with dozens or hundreds of development teams.

Chief information security officers (CISOs) and managers must begin by getting an understanding of the development teams, what type of applications they are working on and their respective cycles. This can be a fairly large undertaking, especially since some teams may have adopted an Agile development paradigm while others remain on a legacy waterfall system. Once this list is in place, use it to create an overall security policy that takes into account the needs of all the apps in development. This way, the policy remains consistent and doesn't have to be built from scratch each time the AppSec program expands to a new team.

Taking into account these four points will allow CISOs to find a security solution that fits their needs:

  1. Scalable: A cloud-based program can effortlessly grow as more development teams are added.
  2. Centralized: A security policy runs more smoothly when it is managed and updated from a single dashboard.
  3. Intelligent: It should learn as it scans and utilize the power of the cloud to recognize and check for new threats as they emerge.
  4. Has a binary static testing option: The solution must be able to scan apps that are still in development and which contain third-party code.

Roll out the solution to a handful of development teams to begin with, creating a subset consisting of those working on mission-critical apps and those with timetables allowing them the flexibility of adding new steps to their software development life cycle. As these teams find success with the program, and as the enterprise becomes more secure, this small series of wins will make it easier to scale up the program to the entire enterprise. Once all the development teams are on board, the same program can be expanded to provide a security vulnerability assessment on existing apps, eventually ensuring that the entire enterprise and thousands of apps are secure.

If enterprise executives want to get serious about enterprise-wide application security, creating a solution around these practices will provide the best opportunity for success. Plus, when the right cloud-based solution is in place, scaling up as application needs increase or shifting gears as the threat landscape changes is remarkably simple and ensures that the entire stable of applications remains secure in the coming years.

Photo Source: Flickr

Shawn Drew has spent the last five years helping businesses understand the difference that technology can make for their internal processes, external connections, and bottom line. He specializes in all things cloud computing and security, and hopes to impart some knowledge on how the two can be combined to enhance the inherent benefits of each. His work has been published on the websites and blogs of a number of technology industry leaders, such as IBM, Veracode and Boundary.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.