Get Started with Web Application Security
Transcript of Get Started with Web Application Security
1 2
3 3 Steps to Get Started with Web Application Security
VERACODE GBOOK
3 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY 2
Application-layer attacks are growing much more rapidly
than infrastructure attacks. AKAMAI
Insecure Applications Up Your Chance of a Breach
Resulting in more than
PERSONAL OR FINANCIAL RECORDS STOLEN
450 MillionIn 2014, there were 8 major breaches through the application layer
3 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY 3
Despite the Risk… AppSec Often NeglectedWHY?
Unlike other forms of security, AppSec:
• Affects many employees in many different departments
• Has to tackle a large, complex and ever-changing threat landscape
Most find it hard to know where to begin with application security, and an easy project to put off.
4
“ Web app attacks are now more common than highly publicized denial of service (DoS) assaults, cyber espionage and cyber intrusions.”
VERIZON 2015 DATA BREACH INVESTIGATIONS REPORT
Making AppSec ManageableTHE SOLUTION?
Start small and get a quick win. You’ll prove your concept and get buy-in. Web application security is a good place to start. Why?
• Web apps are both high
risk and high importance —
securing them is a high-
profile win.
• With the right tools, you
can make progress with web
AppSec quickly and easily.
3 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY
53 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY
Three Steps to Get Started WITH APPLICATION SECURITY
Know what you have.
1
Get rid of what you don’t need.
2Scan for top 10 vulnerabilities.
3
Know what you have.
63 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY
You can’t protect what you aren’t aware of. Start by creating an inventory of all your externally facing web applications.
With an automated discovery solution, you can:
• Quickly and accurately scan your web application perimeter.
• Find out what you have, and where vulnerabilities most likely lurk.
Veracode has found that a typical organization has about 30% more web sites and web
pages than it realizes.
Most organizations don’t even know how many public-facing web applications they have, thanks to:
• New websites for new marketing campaigns or geographies
• Web portals for customers and partners
• Company acquisitions1S
TE
P 1
WEB APP #1WEB APP #1WEB APP #1
30%
73 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY 7
2STEP 2
Once you have a handle on your web perimeter, shut down any old, unused sites.
Congrats! With these 2 steps, you’ve just dramatically reduced your organization’s risk of breach.
Get rid of what you don’t need.
83 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY
Scan for top 10 vulnerabilities.
Focus on the critical vulnerabilities at this step, not the critical apps.3
STEP 3
Based on the results from the web app inventory:
Optimize step 3 with a service or tool that can:
• Dynamically scan the web apps most likely to contain exploitable vulnerabilities for the OWASP top 10 flaws.
• Get those vulnerabilities patched.
• Dynamically scan your apps in a production- safe manner.
• Provide actionable information that can be used by developers or fed to WAFs.
One global manufacturer reduced
critical vulnerabilities by 79% in just 8 months
79% MONTH 1
MONTH 8
93 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY
NEXT STEPS
Use this quick win to get buy-in for the end goal—an application security program that:
• Assesses every application, whether built in-house, purchased or compiled
• Enables developers to find and fix vulnerabilities while coding
• Uses automation to more easily embed security into the development process and scale the program
These 3 steps are a great place to start, but not to stop.
Get all the latest news, tips and articles delivered right to your inbox
Subscribe Here
FIND OUT MORE WITH OUR GUIDE, “GETTING STARTED WITH WEB APPLICATION SECURITY”