3 STEPSTO SCORING QUICK WINS IN APPLICATION SECURITY

$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $

$ $

$ $

$ $$$$$$

$$$$$$

$$$$$$

$$$$$$

$$$$$$

$$$$$$

$$$$$$

2015 2020

Data breaches are almost a daily event — and the problem is only growing worse. Information technology consulting firm Gartner reports that worldwide information security spending will more than double from 2015 to 2020, when it is expected to reach $170 billion.1

But while many security teams depend on a number of tools, including antivirus protection, network security and endpoint systems, to protect their organization, they sometimes skip over a key component: application security. Doing so leaves your organization vulnerable to threats at every level.

3 Steps to Scoring Quick Wins in Application Security | 01

WORLDWIDE INFORMATION SECURITY SPENDING WILL MORE THAN DOUBLE FROM 2015 TO 2020

$170 billion

3 Steps to Scoring Quick Wins in Application Security | 02

Monitor your web application

perimeter.

Analyze your organization’s web

applications.

Implement an action plan that addresses vulnerabilities and

hardens protection.

Start with these three steps to land immediate wins:

Nearly 80 percent of applications written in web scripting languages are vulnerable to at least one threat at an initial assessment.2 Yet the problem isn't just theoretical: The 2015 Verizon Data Breach Investigations Report found that up to 35 percent of breaches result from web application attacks.3

It's critical to have a system in place to not only identify assets, but also the risks and potential damages that come with those assets. To prove to your organization just how valuable an application security program can be, companies need to demonstrate quick wins.

There's a 28 percent higher fix rate for vulnerabilities found by static analysis compared to those found by dynamic analysis.4

TWEET THIS

Identifying inactive, obsolete, and dead or dangerous sites is paramount. Regrettably, many organizations depend on manual or ad hoc methods to manage the discovery process, catalog sites and embedded apps. But a haphazard approach may result in missed risks and vulnerabilities and lead to a false sense of security.

A solution should deliver production-safe, application-layer crawling to build an accurate inventory and highlight exploitable vulnerabilities. It must scan thousands of applications simultaneously and, using multiple discovery techniques and application intelligence, produce highly actionable information and reports.

Making progress quickly is as easy as 1, 2, 3.

Gain visibility into your web application perimeter.

STEP 1

3 Steps to Scoring Quick Wins in Application Security | 03

ATTACKS ARE OPPORTUNISTIC. ABOUT 98 PERCENT OF WEB APPLICATION ATTACKS AIM AT EASY MARKS SUCH

AS CODING ERRORS AND UNPROTECTED APPLICATIONS.5

63%of apps display vulnerabilities as a result of code quality

56%suffer from information leaks

47%have cross-scripting vulnerabilities (XSS)

29%are vulnerable to SQL Injection6

58%have vulnerabilities based on cryptographic issues

Code Red

3 Steps to Scoring Quick Wins in Application Security | 04

A discovery scan is only a starting point for determining the level of risk your organization faces. It's imperative that you complete a detailed analysis of exploitable vulnerabilities on all of the websites you discover. This will help you prioritize risks and determine next steps for addressing vulnerabilities.

An effective solution must provide a centralized dashboard that executives, developers and security personnel can use to make both strategic and tactical decisions. It must aid in enforcing policies and help the enterprise wade through costs and potential damages. Finally, this tool must provide continuous feedback and update itself regularly as attack methods and risks evolve and change.

Analyze the inventory of your organization’s web applications.

VERACODE HAS FOUND THAT ORGANIZATIONS TYPICALLY HAVE ABOUT 30 PERCENT MORE WEBSITES AND WEB PAGES THAN THEY KNOW ABOUT. THESE REPRESENT REAL-WORLD CYBERSECURITY RISKS.

Nearly 80 percent of applications written in web

scripting languages are vulnerable to at least one threat risk at an initial assessment, according to

findings from Veracode.

TWEET THIS

STEP 2

3 Steps to Scoring Quick Wins in Application Security | 05

When your organization has a clear view of the vulnerabilities, risks and costs it’s facing, security teams and others can make informed decisions and prioritize fixes and solutions. This might include moving a site or page behind a firewall, or recognizing that there's a need for developers to patch or recode software applications.

A unified platform can also introduce a more streamlined framework that allows an organization to stay on top of risks. Instead of sinking under the collective weight of spreadsheets, document files, e-mails and PDF files, an enterprise can suddenly slide the dial from reactive and chaotic to proactive and strategic.

Implement an action plan for addressing existing vulnerabilities and hardening your protection.

LESS THAN 26 PERCENT OF ORGANIZATIONS HAVE MANDATED, ONGOING SECURE CODING EDUCATION PROGRAMS.6

STEP 3

USE THE VERACODE APM CALCULATOR AS A STARTING POINT FOR UNDERSTANDING YOUR ORGANIZATION'S RISK LEVEL. IT WILL PROVIDE A SNAPSHOT OF WHERE YOUR ENTERPRISE IS AND WHERE IT NEEDS TO BE.

Manual, static and ad hoc tools introduce risks and gaps that can cripple an enterprise. In a fast-changing and increasingly risky digital world, it's critical to protect the web perimeter. Here's how to ensure that your organization remains safe and secure:

3 Steps to Scoring Quick Wins in Application Security | 06

7 Ways to Reduce Risk

Passing Grades

The percentage of software languages that meet Open Web Application Security Project (OWASP) standards7:

Assess your situation and risks by scanning the web perimeter.

Make the results of a scan and any relevant status reports available to key groups.

Support communication and collaboration across groups and departments.

Gain buy-in by quantifying and weighing risks.

Prioritize threats and develop a plan for addressing risks.

Demonstrate results and publicize wins.

Build a governance framework and establish strong policy management.

PHP

60%

21%

C/C+

Classic ASP

38%

17%

JavaScript (mobile)

ColdFusion

44%

19%

iOS

31%

Android

24%

Java

27%

.NET

3 Steps to Scoring Quick Wins in Application Security | 07

Web application security is an essential piece of the cybersecurity puzzle. Although many organizations have basic and ad hoc protections in place, there's a need to take an initiative to the next level using a more holistic and dynamic framework. Reducing risk and eliminating threats allow an organization to avoid potential multi-million dollar breaches, bad press, a damaged brand

name and, ultimately, a crippled or failed business. Then an enterprise can focus on what it does best: meeting

customer needs and expectations.

According to Plan

In today’s competitive business environment, demonstrating immediate payoffs will help you prove just how valuable an

application security program can be. Find out more in “Quick Wins: Why You Must Get Defensive

About Application Security."

WANT TO LEARN MORE ABOUT APPLICATION SECURITY?

Get all the latest news, tips and articles delivered right to your inbox by subscribing to our blog.

Subscribe Now

3 Steps to Scoring Quick Wins in Application Security | 08

Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market — without compromising security.

Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.

Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands. Learn more at www.veracode.com, on the Veracode blog and on Twitter.

ABOUT VERACODE

1 “Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware,” Gartner, August 22, 2014.

2 “Four Out of Five Applications Written in Web Scripting Languages Fail OWASP Top 10 Upon First Assessment,” Veracode. December 3, 2015.

3 Verizon 2015 Data Breach Investigations Report, Verizon, April 2015.

4 State of Software Security: Focus on Application Development, Supplement to Volume 6, Veracode, Fall 2015.

5 State of Software Security: Focus on Application Development, Supplement to Volume 6, Veracode, Fall 2015.

6 Survey on Application Security Programs and Practices, Sans Institute, 2014.

7 State of Software Security: Focus on Application Development, Supplement to Volume 6, Veracode, Fall 2015.