High profile security breaches have become somewhat commonplace today and not a month goes by without hearing about a well known corporate giant falling prey to cyber-crime. What usually follows is an ill worded press release that trivialises the breach and a postmortem investigation into what went wrong. There are usually a lot of underlying factors that conspire in unison to facilitate such security failures. and much has been written and said about what directly or indirectly led to a breach situation. Thanks to the recent advancement and awareness around application security and the shift-left movement, product teams want to find security bugs as early as possible in the SDLC.
In this short read I aim to bring to light, certain data driven indicators that CISOs and practitioners can leverage to identify and action on their existing AppSec health.
One of the cornerstones of a sound application security program is Vulnerability Management. The multiplicity of testing tools and testing iterations makes managing vulnerabilities at scale all the more critical. This is where an Application Vulnerability Correlation (AVC) platform like Orchestron comes in.
In addition to eliminating noise in the form of duplication of results and flagging of false positives amongst other things, Orchestron also provides a treasure trove of valuable secondary information that helps senior management make informed decisions such as training needs and better utilisation of tooling budgets.
Evaluate Performance of Security Tools
With the increasing need to effectively use existing security bandwidth, adoption of tools is on the rise. Investing in a plethora of static and dynamic (SAST, SCA, DAST and IAST) tools is one thing. However, keeping a track of their effective utilisation and performance is extremely important.
Orchestron’s tool based heat maps, helps management compare and contrast open source security tools and their commercial equivalents. You can actively track the performance of every testing tool you have deployed and, analyse which is befitting for your set-up environment. After all, what use is a 6 figured license for a platform if it finds little to nothing more than an open sourced variant would.
Implement a Risk based Vulnerability Management Model
Apart from zero day attacks, most security breaches emerge from already known security vulnerabilities. The problem is the lack of direction in resolution of vulnerabilities. Development teams have to ensure that vulnerabilities that carry a higher risk are resolved first. Orchestron can help practice leaders implement such a model through its risk based prioritisation of vulnerabilities. Further, application owners have the flexibility to alter priority scores in Orchestron.
Look Closer at Vulnerability Trends
An organisation's capacity to grow is intrinsically linked to the growth of its employees. Regular and sustained training programs must be utilised for the steady enhancement of an employee’s skill-set. This is especially true in the context of skilled security resources, who are a rare breed.
Of the many indicators to ascertain training needs, vulnerability trends can provide interesting insights. Orchestron can help you monitor open/closed vulnerabilities across applications helping you assess the security skill level of different teams in the organisation. This enables executives to identify the need for up-skilling of appropriate teams.
In conclusion, the state of application security for senior security leaders and executives, does not comprise only of an executive summary list of vulnerabilities. We believe they should utilise the availability of other data points that will help them assess and take informed decisions in the future.
If you’d like to see how Orchestron can help you achieve this, do get in touch with us here.