3 Questions When Prioritizing Web App Vulnerabilities

March 8, 2018 Alfred Chung

Dynamic application security testing (DAST) often results in a constantly evolving list of security vulnerabilities. When scanning a web application in production or in an active testing environment, issues can crop up as quickly as changes happen within the app. And when exposed to the internet itself, there are many more ways in which security vulnerabilities can be exposed and exploited.

This is why it’s important to know how to prioritize your DAST results so you can leverage them to your full advantage. Vulnerability prioritization boils down to having the right criteria in place to validate vulns and weed out false positives. This way, you can focus on what really matters, and your development team won’t have to sift through hundreds of issues when they’re already busy fixing other bugs and working on features.

Most companies, however, don’t have the kind of talent on hand to do this. The good news, is there are three pieces of criteria any security professional can use to easily prioritize web application vulnerabilities.

1. Is the vulnerability likely to be exploited?

First, it’s important to be realistic about how likely a vulnerability is to be exploited before putting all your resources into fixing it. For example, a vulnerability on the main page of your application should be ranked higher than one that is tucked away in the weeds, unlikely to ever be discovered. If a vulnerability is easily accessible to your adversaries and could cause real damage if exploited, it should be prioritized accordingly.

By ranking vulnerabilities this way (and you can do so quickly and efficiently using a dynamic application security testing solution like InsightAppSec), you get an actionable report that you can send to your development counterparts, which they can quickly take action on. This lends nicely not only to faster mean-time-to-response, but less frustration and wasted time for both teams.

2. How confident are you in the results?

To quickly weed out false positives, it’s important to rank the confidence level of a detected vulnerability. If a potential issue within your application is detected, it’s important to know if it’s a real threat to your organization before treating it as such. Especially in the world of dynamic testing where behaviors change constantly, it’s important to have a high confidence level in a vulnerability before taking the time to respond to it.

A tedious task done manually, it’s helpful to have a solution that can do this for you. Rapid7’s application security solutions, for example, provide a low, medium, and high risk score that tells you how confident the results are, which makes it clear which issues are real and which are not.

3. Is the threat known to be damaging?

It’s also important to know how much of a threat a particular vulnerability poses if exploited. A vulnerability that could gain an adversary access to your crown jewels should be considered much more damaging than one that could cause an unimportant page on your website to go down. Simply having experience in the security space will allow you to make this determination, but you can also look at the exploitation potential and confidence level within your application security testing solution, which can ultimately help you to determine the severity of the issue.

It’s actually in your best interest to weigh all these criteria together, as they give you the best picture of how to handle vulnerabilities. For example, a dangerous threat that poses a 1% chance of impacting you should be much less worrisome than a moderate threat that poses a 75% chance of being exploited. Using these criteria in unison with a tool like InsightAppSec, you can appropriately prioritize and evaluate vulnerabilities in your web application so that you can be sure you’re always working on the most impactful issues, not ones that will lead you down a rabbit hole.

The trouble with using CVEs in application security

Especially if your expertise lies in vulnerability management, you may be wondering if CVEs could be the answer to prioritizing application vulnerabilities. While CVEs are a great way to prioritize vulnerabilities at the network, software, and operating system layer, they don’t address issues at the web application layer. This is where CWEs come in. As we explain in this post, CWEs, or Common Weakness Enumeration, are a set of common application security weaknesses. DAST solutions like InsightAppSec use CWEs to identify behaviors that appear to be vulnerabilities, giving security pros the ability to detect unknown issues like zero-day threats. They significantly aid in the vulnerability detection process, but they can’t be used alone to identify and prioritize issues.

The smartest approach is to leverage CWEs while taking into account the three criteria above. The best way to do this is to utilize a security solution that does this all in one, such as InsightAppSec.

Prioritization drives progress

The purpose of using any tool in business is to become more efficient or effective — or both. But you can only achieve that if your security tools are designed in such a way that they can streamline information for you, making it easier to prioritize your list of vulnerabilities and increase the effectiveness of your entire team.

Give InsightAppSec a try for free today and get ahead of vulnerabilities within your app.

This article was originally published here.

Previous Article
Vulnerability Management Market Disruptors
Vulnerability Management Market Disruptors

Understanding how attackers think and behave has always been one of Rapid7’s strengths, and we pass this on...

Next Article
System Admin Cheat Sheet: Let KACE Do the Heavy Lifting
System Admin Cheat Sheet: Let KACE Do the Heavy Lifting

After years of experience, I’ve decided to compile some of the knowledge I’ve gained and pass it along to t...