1 2

3 3 Steps to Get Started with Web Application Security

VERACODE GBOOK

3 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY 2

Application-layer attacks are growing much more rapidly

than infrastructure attacks. AKAMAI

Insecure Applications Up Your Chance of a Breach

Resulting in more than

PERSONAL OR FINANCIAL RECORDS STOLEN

450 MillionIn 2014, there were 8 major breaches through the application layer

3 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY 3

Despite the Risk… AppSec Often NeglectedWHY?

Unlike other forms of security, AppSec:

• Affects many employees in many different departments

• Has to tackle a large, complex and ever-changing threat landscape

Most find it hard to know where to begin with application security, and an easy project to put off.

4

“ Web app attacks are now more common than highly publicized denial of service (DoS) assaults, cyber espionage and cyber intrusions.”

VERIZON 2015 DATA BREACH INVESTIGATIONS REPORT

Making AppSec ManageableTHE SOLUTION?

Start small and get a quick win. You’ll prove your concept and get buy-in. Web application security is a good place to start. Why?

• Web apps are both high

risk and high importance —

securing them is a high-

profile win.

• With the right tools, you

can make progress with web

AppSec quickly and easily.

3 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY

53 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY

Three Steps to Get Started WITH APPLICATION SECURITY

Know what you have.

1

Get rid of what you don’t need.

2Scan for top 10 vulnerabilities.

3

Know what you have.

63 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY

You can’t protect what you aren’t aware of. Start by creating an inventory of all your externally facing web applications.

With an automated discovery solution, you can:

• Quickly and accurately scan your web application perimeter.

• Find out what you have, and where vulnerabilities most likely lurk.

Veracode has found that a typical organization has about 30% more web sites and web

pages than it realizes.

Most organizations don’t even know how many public-facing web applications they have, thanks to:

• New websites for new marketing campaigns or geographies

• Web portals for customers and partners

• Company acquisitions1S

TE

P 1

WEB APP #1WEB APP #1WEB APP #1

30%

73 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY 7

2STEP 2

Once you have a handle on your web perimeter, shut down any old, unused sites.

Congrats! With these 2 steps, you’ve just dramatically reduced your organization’s risk of breach.

Get rid of what you don’t need.

83 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY

Scan for top 10 vulnerabilities.

Focus on the critical vulnerabilities at this step, not the critical apps.3

STEP 3

Based on the results from the web app inventory:

Optimize step 3 with a service or tool that can:

• Dynamically scan the web apps most likely to contain exploitable vulnerabilities for the OWASP top 10 flaws.

• Get those vulnerabilities patched.

• Dynamically scan your apps in a production- safe manner.

• Provide actionable information that can be used by developers or fed to WAFs.

One global manufacturer reduced

critical vulnerabilities by 79% in just 8 months

79% MONTH 1

MONTH 8

93 STEPS TO GET STARTED WITH WEB APPLICATION SECURITY

NEXT STEPS

Use this quick win to get buy-in for the end goal—an application security program that:

• Assesses every application, whether built in-house, purchased or compiled

• Enables developers to find and fix vulnerabilities while coding

• Uses automation to more easily embed security into the development process and scale the program

These 3 steps are a great place to start, but not to stop.

Get all the latest news, tips and articles delivered right to your inbox

Subscribe Here

FIND OUT MORE WITH OUR GUIDE, “GETTING STARTED WITH WEB APPLICATION SECURITY”