Understanding Application Risk Management

By Haythem Hammour, Product Marketing Manager, Brinqa

On  April 25, Docker®^[1] discovered a breach of unauthorized access to a single Docker Hub database storing a subset of non-financial user data. Usernames and hashed passwords for approximately 190,000 accounts may have been exposed, as well as GitHub®^[2] and Bitbucket®^[3] tokens for Docker auto builds. However, the risk the Docker breach poses to organizations varies based on usage, integration, and a variety of business and environmental factors. How can organizations measure and respond to the vulnerabilities in their software infrastructure? This article discusses some crucial aspects of Application Risk Management that can help build a knowledge-driven, risk-aware application security process and deliver accurate and swift risk analysis, prioritization and remediation.

Defining Application Risk Management

Application Risk Management is the utilization of fundamental risk management principles to identify, prioritize, remediate, and report security risks related to an organization’s software infrastructure. This is accomplished by analyzing data from various application testing and monitoring tools and programs – Dynamic or Web Application Security Testing (DAST), Static Application Security Testing (SAST), Interactive Application Security Testing (IAST), Software Composition Analysis (SCA), and Penetration Testing – in context of relevant business metadata and threat intelligence to drive prioritized remediation actions in IT Service Management (ITSM) tools and processes. The scope of Application Risk Management is not limited to web or desktop applications but also covers all internally developed, third-party, open-source, commercial off the shelf (COTS), custom, business, and enterprise applications, as well as web services and APIs.

The Need for Better Application Security

In 2014 Verizon started analyzing breach trends and patterns through the Verizon Data Breach Investigation Report (Verizon DBIR)^[4]. Noticeably, in the 2019 report the web application pattern (one of nine basic patterns used to categorize security incidents and data breaches) scored the highest for breaches, with a probability of one in five breaches attributed to web applications as the vector of attack. Moreover, by examining past years’ reports, it is evident that web applications have consistently been a top breach pattern in recent years.

Top Application Security Risks

Open Web Application Security Project (OWASP) commenced a project that annually outlines the ten most critical web application security risks. To compile this list OWASP uses prevalence data in combination with the consensus estimates of exploitability, detectability, and technical impact.

1. Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.
2. Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens.
3. Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII.
4. XML External Entities (XXE): Many older or poorly configured XML processors evaluate external entity references within XML documents.
5. Broken Access Control: Restrictions on what authenticated users are allowed to do are often not properly enforced.
6. Security Misconfiguration: Commonly a result of unsecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
7. Cross-Site Scripting (XSS): XSS attacks occur when malicious scripts are injected, generally in the form of a browser side script, into trusted websites. These can occur when a web application uses input from a user in the output it generates without first validating or encoding it.
8. Insecure Deserialization: Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution to change behavior during or after deserialization.
9. Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, are often used in the development of web applications. Attackers finding security holes in these components can leave applications vulnerable to exploits.
10. Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to compromise systems further, maintain persistence, pivot to more systems, and tamper, extract or destroy data.

OWASP, Verizon, and many other organizations have done remarkable work in collecting and analyzing data on cyber threats, vulnerabilities and attacks. However, when it comes to application security there is no one-size-fits-all solution. Each organization is unique, and so are the threat actors for that organization, their goals, and the impact of any breach. If a public interest organization uses a content management system (CMS) for public information and a health system uses that same CMS for sensitive health records, a vulnerability in the CMS software will result in very different risk exposure and business impact for each organization. It is critical to understand the risk to an organization based on applicable threat agents and business impact.

Determining Risk Criticality

Generally, the risk is the combination of the probability of an event and its consequence (Risk = Likelihood × Impact). Particularly, IT risk is the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise.

The information security community relies on Common Weakness Enumeration (CWE)^[5] and Common Vulnerabilities and Exposures (CVE)^[6] organizations in standardizing severity, probability, and impact measures.

The Common Vulnerability Scoring System (CVSS)

CVSS captures the principal technical characteristics of software, hardware, and firmware vulnerabilities. Its outputs include numerical scores indicating the severity of vulnerability relative to other vulnerabilities. CVSS is composed of three metric groups – Base, Temporal, and Environmental.

1. The Base Score reflects the severity of vulnerability according to its intrinsic characteristics, which are constant over time and assumes the reasonable worst-case impact across different deployed environments.
2. The Temporal Metrics adjust the Base severity of a vulnerability based on factors that change over time, such as availability of exploit code.
3. The Environmental Metrics adjust the Base and Temporal severities to a specific computing environment. They consider factors such as the presence of mitigation in that environment.

The Common Weakness Scoring System (CWSS)

CWSS is part of the CWE project, co-sponsored by the Software Assurance program in the office of Cybersecurity and Communications of the U.S. Department of Homeland Security (DHS). It provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. The CWSS scoring method relies on multiple metric factors clustered in three groups.

1. Base Finding metrics capture the inherent risk of the weakness, confidence in the accuracy of the finding, and strength of controls.
2. Attack Surface metrics represent the barriers that an attacker must overcome to exploit the weakness.
3. Environmental factors capture characteristics of the weaknesses that are specific to a particular environment or operational context.

For effective risk quantification and prioritization, organizations must build on these frameworks and enhance this technical information with threat intelligence (factors such as exploit availability, associated malware, zero-day, popularity, pervasiveness, etc.) and business impact considerations (operational status, data classification, supported business services, monetary impact, compliance requirements, etc.) to develop an accurate understanding of how these threats uniquely impact the business.

About the Author

Haythem Hammour Product Marketing Manager

[email protected] I ☎ (512) 372-1004

8310 N Capital of Texas Hwy, Suite 155, Austin, TX 78731

www.brinqa.com |Twitter | LinkedIn | Free! Webinars

https://twitter.com/hammour_haythem

^[1] Docker is a tool designed to make it easier to create, deploy, and run applications by using containers

^[2] GitHub brings together the world’s largest community of developers to discover, share, and build better software.

^[3] Bitbucket is a web-based version control repository hosting service owned by Atlassian, for source code and development projects

^[4] The Data Breach Investigations Report is a collaborative effort, developed by Verizon in cooperation with numerous agencies.

^[5] https://cwe.mitre.org

^[6] https://www.first.org