How to improve your application security practices

Organizations talk a good game when it comes to security, but many still focus the majority of their security resources on the network rather than their applications--the vector for most data breaches. Many organizations dedicate less than 10 percent of their IT security budget to application security, according to a study by research firm the Ponemon Institute, released earlier this year.

The reasons for this gap are multifaceted, says Jeremiah Grossman, founder and CTO of WhiteHat Security, provider of a continuous vulnerability assessment and management service for thousands of Web sites, including the Web sites of dozens of Fortune 500 companies. First, he says, many security professionals have a blind spot for software.

"Most of the security guys out there are not software people," he says. "They come from an IT background. All they really know how to do is protect the network."

Second, regulatory compliance and the cruft that comes with regulations based on past threats also play a role in Grossman's view.

"Organizations must comply," he says. "They spend the lion's share of their budget first on firewalls and antivirus because the compliance regulators mandate it."

Prioritizing Application Security Is a Challenge

It is often difficult for the organization to prioritize application security over revenue-generating development work, he says. Even when organizations identify serious vulnerabilities in their Web sites, it's not necessarily a simple decision to fix them.

"The organization has to fix it themselves," he says. "The business has to decide: 'Do we create revenue-generating features this week? If we don't deliver those features on time or at all, we will for a fact lose money. Not fixing the vulnerability may potentially cost the business money.' They have to make a decision."

Application Vulnerabilities on the Decline

Even with these challenges, Grossman says the application security landscape shows signs of improvement. While 2011 was dubbed the Year of the Breach-based on a multitude of high-profile breaches of companies like RSA, Sony, Facebook and Citigroup, not to mention the CIA and FBI-2011 was also a year in which the average number of serious vulnerabilities in Web sites showed a marked decline.

For 12 years, WhiteHat has put together its WhiteHat Security Website Security Statistics Report based on the vulnerabilities it finds in the Web sites it assesses. The 2011 installment, based on the examination of critical vulnerabilities from 7,000 Web sites across major vertical markets, found an average of 79 serious vulnerabilities per Web site, a drastic reduction from the average of 230 it found in 2010 and 1,111 it found in 2007.

"These are real-world Web sites," Grossman says. "I would guarantee that you have accounts and data in many of the sites we test."

Of course, that single statistic doesn't tell the whole story. While the average came in at 79 serious vulnerabilities, the standard deviation was 670: Some Web sites expose a lot more vulnerabilities than others. Also, according to Netcraft, there are roughly 700 million Web sites on the Internet and tens of millions more are coming online each month. While it's a large sample, 7,000 Web sites is just a tiny fraction of the whole.

Still, WhiteHat's findings paint a picture of the state of Web site security today; a picture in which Web site security is slowly improving. The banking vertical continued to show its dedication to security: Banking Web sites again possessed the fewest serious vulnerabilities of any industry with an average of 17 serious vulnerabilities per Web site. Banking also had the highest remediation rate of any industry at 74 percent. Every industry, with the notable exceptions of healthcare and insurance, showed improvement from 2010.

Additionally, time-to-fix showed vast improvement, dropping to an average of 38 days-much shorter than the average of 116 days in 2010. "The developers know that 38 days is actually a really, really good number because they know how long it does take," Grossman says. "But to the end users, 38 days is unacceptable."

Steps to Improve Your Security Posture

To improve your application security posture and make the best possible use of your IT security budget, Grossman suggests you first determine whether you are a target of opportunity or a target of choice. Targets of opportunity are breached when their security posture is weaker than the average organization in their industry. Targets of choice possess some type of unique and valuable information, or perhaps a reputation or brand that is particularly attractive to a motivated attacker.

"On the Web, if you're doing business of any kind, you're going to be a target of opportunity," Grossman says. "Everybody has something worth stealing to a bad guy these days. Other companies are a target of choice because they have something the bad guys want: your credit card numbers or IP or customer lists. This aligns with how secure you need to be. No one needs perfect security."

If you determine you're a target of opportunity, Grossman says, you need to make sure that you are a little bit more secure than the average business in your category. He notes organizations can use the data in its free WhiteHat Security Website Security Statistics Report to benchmark where they need to be.

Targets of choice, on the other hand, need to make themselves as secure as they possibly can and then prepare plans for how to react when they are breached so they can minimize the damage as much as possible.

Grossman also recommends that organizations hack themselves in an effort to understand how attackers will approach their Web sites. Additionally, he says organizations need to understand their benchmarks: which vulnerabilities are most prevalent in their Web sites, what's their time-to-fix, their remediation percentage, average window of exposure, etc.

If you consistently see vulnerabilities of a particular type, like cross-site scripting or SQL injection, it's a sign that your developers need education in that issue or your development framework may not be up to snuff. If your time-to-fix is particularly slow, it's a good bet that you have a procedural issue-your developers aren't treating vulnerabilities as bugs. If you consistently see vulnerabilities reopening, it suggests you have a problem with your 'hot-fix' process-high-severity vulnerabilities get fixed quickly but the change is back-ported to development and a future software release overwrites the patch.

"Understand your software development cycle," Grossman says. "Understand where you're good, where you're bad and make your adjustments accordingly."

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline and on Facebook. Email Thor at

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

More about etworkFacebookFBIIT SecurityMicrosoftNetcraftRSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place