The problem of standard vulnerability management is well known, Windows patches come out the second Tuesday of every month and then it’s a scramble to figure out which ones have to be applied to which systems and if they will affect operations. The same is true on other operating systems only on a less predictable schedule. More recently, the same has become true of applications from desktops to servers, Adobe to Zimbra and everything in between, each with its own set of patches, schedules, and vulnerabilities. Your Vulnerability Management process and Patch Management tools or vendor updates may take care of these, but what about the vulnerabilities in your web sites and custom or customized applications?
This has become an analogous process but with a painful twist. Static and Dynamic analysis tools scan custom applications for vulnerabilities but leave you with three problems.
- False Positives
- Too Much Data
- Not Enough Information
How can you have too much data and not enough information? The data is the overwhelming number of findings that seems inevitable. The information needed is the realistic prioritization of what’s real and critical and what’s not. Usually this has to be done one by one since unlike known vulnerabilities these are more general and pertain to your specific application. Unfortunately there are often too many to handle and the vulnerability management process for these applications stalls, leaving critical applications and data open to attack.
The only way to lessen the load is to get to root cause and reduce the number of application vulnerabilities in the first place, as well as give developers the guidance to fix the ones already there. The good news is that this can be done. Defensive coding can be taught to development staff to prevent vulnerabilities and Security Innovation provides cost effective e-learning and guidance to make it happen. We’ve helped technology companies and internal IT application developers alike make a big difference in their application development process. If you’re interested, here’s how to find out more.