Why You Need to Test All Your Cloud, Mobile and Web Applications



Similar documents
Best Practices - Remediation of Application Vulnerabilities

Cenzic Product Guide. Cloud, Mobile and Web Application Security

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Conquering PCI DSS Compliance

State of Web Application Security

2014 Security Pressures Report. Based on a survey COMMISSIONED by Trustwave

PCI Compliance for Healthcare

PCI White Paper Series. Compliance driven security

How To Test For Security On A Network Without Being Hacked

$ Drive awareness and increase participation. National account program. Flexible managed Security Solutions for hospitality

Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform

Five reasons SecureData should manage your web application security

What is Penetration Testing?

Nine Steps to Smart Security for Small Businesses

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

The PCI Dilemma. COPYRIGHT TecForte

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Enabling Continuous PCI DSS Compliance. Achieving Consistent PCI Requirement 1 Adherence Using RedSeal

Social-Engineering. Hacking a mature security program. Strategic Penetration Testing

Cutting the Cost of Application Security

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv

The problem with privileged users: What you don t know can hurt you

Are You A Sitting Duck?

Manual Penetration Testing for ContractPal

Dispelling the vapor around Cloud Security

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

Security for a Smarter Planet IBM Corporation All Rights Reserved.

Managing IT Security with Penetration Testing

Application Security in the Software Development Lifecycle

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

Marketing and Data Security

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

GUIDE TO IMPROVING INFORMATION SECURITY IDENTIFYING WEAKNESSES & STRENGTHENING SECURITY

SecurityMetrics Vision whitepaper

Eliminating Infrastructure Weaknesses with Vulnerability Management

Planning for and Surviving a Data Disaster

Roger s Cyber Security and Compliance Mini-Guide

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Virtual Patch Management Offers Automation, Availability, and Cost Benefits Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Juniper Networks Secure

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

The Value of Automated Penetration Testing White Paper

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Cyber Security - What Would a Breach Really Mean for your Business?

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

Frequently Asked Questions

RETHINKING CYBER SECURITY Changing the Business Conversation


Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

AB 1149 Compliance: Data Security Best Practices

Real-Time Security for Active Directory

Understanding PCI Compliance

State of Web Application Security U.S. Survey of IT & IT security practitioners

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

FERPA: Data & Transport Security Best Practices

Vulnerability Assessment and Penetration Testing Across the Enterprise:

Technical Testing. Network Testing DATA SHEET

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

I ve been breached! Now what?

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

Financial Implications of Cybercrime Meeting the Information Security Management Challenge in the Cyber-Age

Business Opportunity Enablement through Information Security Compliance

State of Network Security 2014

White Paper. Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

SECURE FILE SHARING AND COLLABORATION: THE PATH TO INCREASED PRODUCTIVITY AND REDUCED RISK

Cybersecurity and internal audit. August 15, 2014

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

The Importance of Cyber Threat Intelligence to a Strong Security Posture

Building a Business Case:

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Guide to Penetration Testing

How To Transform Insurance Through Digital Transformation

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

2012 Endpoint Security Best Practices Survey

Protecting against cyber threats and security breaches

Global IT Security Risks: 2012

The Seven Deadly Myths of Software Security Busting the Myths

Overcoming PCI Compliance Challenges

Uncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity

Marble & MobileIron Mobile App Risk Mitigation

Gaining the upper hand in today s cyber security battle

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE MIKE.ZUSMAN@CARVESYSTEMS.COM

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Windows XP End-of-Life Handbook for Upgrade Latecomers

Internet threats: steps to security for your small business

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

NEC Managed Security Services

Transcription:

Why You Need to Test All Your Cloud, Introduction In a recent survey of security executives, more than 70 percent of respondents acknowledged that they are performing vulnerability tests on fewer than 10 percent of their cloud, mobile and web applications. In the same survey, a majority of them also confessed that they had been hacked at least once in the last two years. We have heard similar responses in conversations with various companies. While most large businesses have started to test more and more of their applications for vulnerabilities, there is a long way to go. You are as strong as your weakest link, and in this case the weakest links are untested applications. Hackers attack any application that has security weaknesses. Although testing high-value and mission-critical applications is better than not testing at all, the problem is that hackers will exploit one of the other applications, and once they are in your infrastructure they ll figure out a way to get to your other applications as well. 2

Challenges in Protecting All Web Applications So why is it that in spite of all the risks, organizations are not taking extra measures to identify vulnerabilities in all their cloud, mobile and web applications? In talking to various security professionals and in our recent surveys, we received the following reasons. Limited budget There s just not enough money in the budget to test all applications. Whether it is additional headcount or technology needed, testing applications costs money, and most organizations have not set aside enough. We certainly found this to be true in our survey where most respondents said their coffee budget was bigger than their application security budget. Limited expertise Application security is still not a mature science, and very few people out there who really understand application security. Compliance driven PCI DSS and other standards have traditionally only required external facing applications, although PCI has expanded the scope to include internal applications as well. Most organizations are driven by compliance and unfortunately not security. So the focus is only on these applications that help them get compliant, while all of the other applications are largely ignored. And, in reality the situation is even worse than that. The applications that are assessed for security, in many cases, are tested only to get a checkbox for compliance and not necessarily to make sure that they are secure. Misconceptions Lack of adequate knowledge can be dangerous. This is certainly true in the case of application security where there are many misconceptions. One of them is that companies shouldn t worry about all their cloud, mobile and web applications. For example, why would you want to test your internal applications that have no external interface? Those are secure, correct? Wrong. Think of insider threats. What if you have an internal human resources application with access to employee confidential information, like health records, compensation, performance metrics, etc? Now, let s say one of your less-than-ethical employees logs in as a user and exploits a privilege escalation vulnerability to give themselves admin rights? Voila! They have access to all the confidential records, and your company is now non-compliant with various standards. But, it s not that hard to protect yourself. Here are a few recommendations to do identify application vulnerabilities. 3

Recommendations ROI and impact of hacking Various studies show that one breach can cost millions of dollars. According to research done by Forrester and Ponemon Institute, the average cost per record in case of a breach is at least $300. Most companies have thousands of records. And more than 75 percent of attacks are occurring through web applications. Outsource You don t have to do everything yourself. There are solutions available as a managed service and a cloud service to help you secure your cloud, mobile and web applications quickly and affordably. Process for testing all applications Not all applications are created equal. You can cut down your costs by creating a pyramid of all your apps. Yes, the first step is to find out what applications do you have. Now run a basic test on all of these applications, and based on what you find out you can prioritize applications that need deeper penetration testing. This way, you ll get coverage on all your applications without spending a fortune and taking many years. Automated solutions and a good process can help you get there quickly. Manage your risk You will find hundreds of vulnerabilities in your web applications. And, you won t have time to fix them all. Take a risk management approach and prioritize these vulnerabilities based on a quantitative score. The ones with the highest score (i.e. most likely to be exploited) are most sensitive and should be addressed first and right away. All the other ones should be blocked with a Web Application Firewall (WAF) or other methodologies. 4

Summary The bottom line is that any breach can have a severely adverse impact on your bottom line. Cloud, mobile and web application vulnerabilities are low-hanging fruits for hackers, and they would rather pick these rather than going for the harder stuff. Hacking, unfortunately for the rest of us, has become a lucrative profession. And, intruders will continue to attack you to earn their living. Whether their motive is financial gain, espionage, hacktivism or perhaps something even more pernicious, hackers will continue to fire shots until they penetrate. In this case, we can t fire back at the enemy, and we can t be 100 percent secure, but we can certainly raise the walls of our castle to thwart their attempts. All apps receive Basic Testing Subset of apps receive strong Testing Mission-Critical apps receive robust Testing High asset value deep, continuous testing Low asset value basic security check 5

About Trustwave Cenzic solutions from Trustwave provide an application security intelligence platform to continuously assess Cloud, Mobile and Web vulnerabilities. This helps brands of all sizes protect their reputation and manage security risk in the face of malicious attacks. Cenzic solutions help secure more than half a million online applications. Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than two million businesses are enrolled in the Trustwave TrustKeeper cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information: https://www.trustwave.com Copyright 2014 Trustwave Holdings, Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information