The number of reported application security vulnerabilities in 2017 was more than double that from the year before, according to Fortify analysis of the National Vulnerability Database (NVD). And this increase only tells a limited part of the story about the increasing attacks at the application layer.
An increasing range of regulations and best practices help security practitioners defend against these new threats. Some are industry-specific, like HIPAA for the healthcare business and PCI DSS (Payment Card Industry Data Security Standard) for financial services. National Institute of Standards and Technology [NIST] offers Publication 800-53. Some go broader, including the General Data Protection Regulation of the European Union (GDPR)—now mandatory for anyone processing EU citizens’ personal data—and the OWASP Top 10 list of web application vulnerabilities.
There is no 'universal' standard for application security, so the standard you use is dictated by the nature of your applications and the information they collect, use and store. Information security professionals will simultaneously applaud compliance as a driver that helps them achieve their goals of securing the enterprise while cursing its existence as a check-box method to prop up the baseline of information security we all hope protects us.
Compliance – checking the box or reducing risk?
There can be a culture of “checking the box” in response to compliance initiatives. Managers with this approach may ask “What do I need to do to meet this compliance requirement?” instead of “What do I need to do to protect myself from the threats my firm faces today?” These questions result in similar answers and actions, but check-box compliance moves slowly and can miss known threats.
OWASP Top 10
The OWASP Top 10 is a powerful awareness document for web application security and represents a consensus about the most critical security risks to web applications. Since the first OWASP Top 10 in 2003, the published list has increased in stature as a security measure. The officially released 2017 report, which included input from more than 70 individual contributors and data from more than 40 organizations, raises awareness amongst developers and managers by encouraging best practices.
As important as the OWASP Top 10 has become, it must be only a starting point for security practitioners. There are hundreds of issues that can affect software security—for instance, there are more than 700 common software security weaknesses identified by the Common Weakness Enumeration (CWE) community and nearly 900 defined in the Fortify Taxonomy of Software Security Errors—so organizations need to look beyond the Top 10 to forge an effective security program.
Many of the top reported security weaknesses in web applications didn’t make the list, and the list doesn’t include vulnerabilities to other attack surfaces of the organization. Fortify Software Security Research found that 90% of analyzed applications had at least one issue outside of the OWASP Top 10, and 1 out of 2 apps has critical or high vulnerabilities that are not covered by the OWASP Top 10 2017.
In fact, all standards (OWASP Top 10, NIST, PCI DSS, or GDPR) lack some critical and high severity weaknesses issues. Depending on the standard, anywhere from 20% to 50% of apps have critical or high vulnerabilities not covered by the regulatory mapping.
Application security practitioners should:
- Move beyond security testing to include secure coding,
- Automate and audit compliance workflows,
- Focus on reducing risk and not limit themselves to checking boxes with compliance.
You can read more about this topic and more in our annual application security report on the state of application security.
Next time I’ll explore some GDPR implications for AppSec.
The Micro Focus Cybersecurity Summit 2018 will take place on September 25-27, at the Omni Shoreham in Washington, D.C. The attendance is completely free. Join us for education, skills-building and solutions-oriented discussion around the challenges you face protecting your users, apps and data.