Application Risk Management
Application risk management is the process of identifying and managing potential threats in software applications. This need has become increasingly important as application vulnerabilities are one of the most significant threats to a company’s security profile.
Research firm SAP notes that 84% of cyber attacks target the application layer. As open source components continue to increase in prevalence, so too does the risk of open source vulnerabilities within an organization’s code libraries.
See how Black Duck Hub can help you manage application risks today.
Application Security Risks
In a recent survey by Ponemon Institute, 69% of respondents noted that their organization is unaware of the entirety of applications or databases that are currently active. This represents a large population who lack insight into potentially at-risk applications, let alone into the portfolio of open source components within them.
Additionally, nearly 30% of the Ponemon respondents indicated that they have no management process. This leaves them exposed to potential security breaches and increased remediation costs for vulnerabilities identified late in the development cycle.
Structuring a Risk Management Strategy
A structured management plan outlines priorities, process, and controls for addressing identified threats.
To accomplish this, the National Institute of Standards and Technology (NIST) has constructed five core functions of cybersecurity:
- Identify: Qualify security risk, including potential impact to the application, to the organization, governance violation, etc.
- Protect: Controls and safeguards to combat security threats, including access control, security training, data protection standards, and maintenance.
- Detect: Ongoing monitoring for immediate insight into vulnerabilities and events.
- Respond: Repeatable, effective response planning, communications, analysis, mitigation, and improvement.
- Recover: Business continuity plans to quickly resume activities after a breach, minimizing the impact on operations and the customer experience.
Addressing Application Security & Open Source Use
Applications built with open source software are subject to the same security standards as proprietary software, with the added complexity of addressing vulnerable open source components within a project.
Successful open source security strategies incorporate some key mechanisms for app risk management, including:
- Awareness: It’s imperative that you establish a complete understanding of the open source components within your custom applications, and document them for reference in a bill of materials (BOM). This gives you a full account of open source components which need to be monitored for vulnerabilities, as well as code quality and compliance risks.
- Security: NIST puts the cost of addressing a software error after it has been released at nearly 30x the cost of resolving the error during coding. By mapping the open source BOM to databases of known vulnerabilities, at-risk code can be readily located and remediated early and with minimal impediment to the SDLC and at significantly lesser cost.
- Security Testing: Applications should be examined with an array of security testing tools including, but not limited to, Static, Dynamic, and Interactive Application Security Testing. In order to to address the management of open source application risks which are not covered by these other tools, we suggest the use of an Open Source Vulnerability Management (OSVM) solution.
- Ongoing vulnerability monitoring: Persistent, real-time monitoring and management of open source vulnerabilities – as they map to your codebase – permits more-immediate response to new threats, minimizing your exposure to exploit.