Risk
3/22/2013
01:01 PM
Connect Directly
RSS
E-Mail
50%
50%

Who Owns Application Security, Patching In Your Business?

Too many organizations lack a formal security plan, leaving applications vulnerable to exploits, warns SANS Institute.

One-third of businesses lack a formal program for tracking application security and prioritizing which vulnerabilities to patch first.

That finding comes from an application security lifecycle survey of 700 IT personnel -- half from large multinational businesses and a majority of whom work as security analysts -- conducted last year by the SANS Institute and sponsored by vulnerability management software vendor Qualys.

The SANS study found that over 25% of businesses have an application portfolio that includes fewer than 25 applications. But 22% manage more than 100 business applications, and 7% count more than 1,000. Furthermore, 28% of respondents didn't know how many applications their organization managed.

"In many cases, this is because the respondents work in large organizations that have grown over several years through mergers and acquisitions or are global companies with many subsidiaries, lacking central management of application portfolios," read a related SANS Institute report written by Jim Bird, CTO at for broker-dealer and trading platform provider BIDS Trading Technologies, and Frank Kim, principal consultant at ThinkSec and curriculum lead for application security at the SANS Institute.

[ Security software needs to focus less on data dumps, more on identifying trends. Read more at Security Tools Show Many Dots, Few Patterns. ]

Maintaining an application portfolio and formal application security program is important to help businesses prioritize which vulnerabilities in their commercial and open source software to patch first. The most effective approach may seem counterintuitive. That's because, according to research published in 2011 by vulnerability information provider Secunia, patching the most critical vulnerabilities is a better use of time than patching the most widely used applications. "Averaged over the last six years, patching the top 10 most critical programs [with vulnerabilities] remediates 71% of the total risk, while patching the top 10 most prevalent programs [in terms of overall use] remediates 31% of the risk, or 1.9 times less," according to Secunia.

Make no mistake: Attackers are gunning for known vulnerabilities in applications and plug-ins, because even after vendors release patches, many businesses remain slow on the patching uptake. Blame, perhaps, the all-too-frequent deluge of vulnerability reports, like the ones recently involving Java. "There has been a lot of time and energy spent lately on responding to matters relating to Java and the platform's security," said Robert Jeffries, a research analyst in the Security Engineering Research Team at managed security services provider Solutionary, Thursday in a blog post.

"We took a look at how many vulnerabilities were released for the platform going back to 1996. No really big surprise here," he said. "There were a lot of them. In fact, this past month -- February 2013 -- we saw a higher number of Java vulnerabilities released in a single month than in any other single month prior."

Each patch can be a source of new exploits. In some cases, attackers have reverse-engineered Java updates less than 12 hours after their release and added them to popular -- for those with a criminal bent -- crimeware toolkits, which stake their reputation on being able to exploit more PCs in one go than the competition.

And that's just Java. In the past few months, while Oracle has been releasing Java 6 and Java 7 security updates, it's also been releasing patches for other critical vulnerabilities in its products -- as have Microsoft and Adobe for Flash, Reader, Acrobat and other applications. Crimeware vendors quickly added related exploits to their wares, but some of the patches addressed zero-day vulnerabilities that were already being targeted and compromised by attackers.

Businesses can't instantly patch every system; they must prioritize. But how do application security managers determine which bugs to patch first? According to the SANS survey, respondents are currently tracking vulnerability information in a number of ways. For example, for vulnerabilities in open source and commercial software applications, "companies seem to use virtually every source they can," said by Bird and Kim in their SANS report.

"Approximately 59% get vulnerability and threat information by subscribing to threat notification services, open source distribution lists, vendor notification lists, CERTs, news and security services from external experts," they said. "Less than 10% rely primarily on tools from third-party vendors such as Palamida or Black Duck for updates on vulnerabilities and threats. A disturbing number (12%) don't have an established method to track vulnerabilities."

The ad hoc approach applies even more to applications developed in-house. Notably, Bird and Kim found that only 23% of organizations include application security in every stage of the development and lifecycle process: "In another 30% of companies, application security is considered important, but developers engage with the information security team only at certain points in the development cycle." Alarmingly, 26% of businesses assess the security of an application only at the end of the development process, which is relatively costly compared with catching bugs early in the lifecycle development process, and historically vulnerable to being overruled by "time to market" pressure exerted by other parts of the business.

What's the best way to address poor application security processes in a business? Start by ensuring that senior managers and the board of directors are involved, since the SANS study found that too many businesses lack clear oversight of their application security posture. "In the survey, ownership (responsibility) extends across different parts of many organizations, including risk/compliance (33%), software assurance (18%), software development (35%) and even to the lines of business in a small number (17%) of companies," said Bird and Kim.

"However, there is no central, consistent control of application security initiatives in most organizations," the report continued. "The CIO/CTO is identified only as an owner in 38% of companies, and accountability and ownership of application security hasn't reached the highest levels of the business -- only 8% of companies identified the CEO as owning some responsibility for application security."

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.