Discover Performance

HP Software's community for IT leaders // July 2012

Six steps against application attacks

Vulnerabilities at the application layer—not the network perimeter—have become the most popular exploit vector for hackers. Find out how to keep your risk low.

Application exploits are on the rise. The National Institute of Standards and Technology estimates that 92 percent of security breaches are facilitated by unsecured applications.

The U. S. Air Force reports that application hacks have increased from 2 percent to 33 percent of the total number of attempts to break into its systems.

With more hackers targeting applications directly—finding clever ways to launch "insider" attacks—enterprises will never get ahead of the game by addressing security solely as an operational issue. You can secure the network perimeter all you want, but if applications aren't locked down tight, hackers will find a way to get to your sensitive data.

Getting to the root of the problem

While all organizations understand the need to create secure software, the methods they use to identify security vulnerabilities can be haphazard. Popular tactics, such as penetration tests, are not getting the job done.

  • Penetration tests only find problems, they can't fix them. Nor can they provide any assurance that all potential problems have been identified.
  • Web application firewalls, which are used to block anomalies in traffic patterns, can be disruptive when the irregular patterns they block turn out to be valid traffic.

To secure your company's data, your approach must include an examination of each application's inner workings, as well as the ability to find the exact lines of code that create security vulnerabilities. It then needs to correct those vulnerabilities at the code level. Finally, there must be a comprehensive prevention strategy that fends off future attacks and mitigates current ones.

Such a comprehensive strategy for tackling application risk has the following six steps:

1. Find and assess potential vulnerabilities.

Deploy an asset management system to inventory every application, including versions, upgrades, patches and current configurations. Then examine end-to-end application data flow, identifying the points of interaction with other applications, hardware or data. These are the most likely targets in an attack.

Rank the vulnerabilities on the resulting—and potentially very long—list. Tackle the most serious weakness first, of course.

2. Foster an awareness of risk and the need for remediation.

Key stakeholders must understand the specific areas where insecure applications threaten the business and the potential consequences of failing to mitigate them. Once this is done, CISOs can begin to educate developers how to avoid critical security mistakes in the first place.

3. Create and deploy application security features.

Develop clearly defined requirements to secure each application as well as the application environment as a whole. Make sure that every application—purchased, in-house, outsourced, open source—has features to prevent, detect and correct breaches.

When patching or writing new code, use regression tests to ensure that the new software addresses the root cause as well as the vulnerability.

4. Develop continuous methods to find and assess vulnerabilities.

Use vendor alerts and public vulnerability databases to track emerging application security issues and assess vulnerabilities on an ongoing basis. Scan all new source code for known problems, and scan existing code for newly identified vulnerabilities with each deployment. Keep track of past software vulnerabilities and ensure that the mistakes are not repeated.

In addition, provide developers with reliable procedures to scan code for security bugs before compiling, before deployment and in production.

5. Secure applications throughout the development lifecycle.

A security development lifecycle (SDL) recommends the performance of various security activities throughout the development process. The SDL tracks and enforces compliance with the recommendations.

It's a good idea to incorporate multiple vulnerability detection methods at well-defined control points. An application security testing solution that encompasses both static and dynamic analysis can detect the broadest range of security holes.

Finally, deploy "toll gates"—repeatable, mandatory procedures for finding bugs—to block software from going into production before it has been thoroughly tested.

6. Make application security an integral part of your operations.

You'll need an effective application security strategy that addresses both immediate and systemic risk. Software Security Assurance (SSA) is the operational solution to the problem of software risk, covering all the people, processes and technologies that can affect the quality of software security.

If an internal SSA initiative is beyond your reach, the alternative is to partner with a vendor with deep expertise in both security and development. It can provide a solution to scan for security holes in existing applications, offer strategies to repair them and ensure that code under development is secure at every stage, regardless of the type of application.

To read more about improving the security of your applications, visit the HP Fortify Software Security Center.


IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.

Let's get started

Please select an answer.


Your answer:
Your score:
Average score:
Revenue leaders' score:


Please select an answer.



Your score:
Average score:
Revenue leaders' score:

Get detailed results:


Popular tags


Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.

Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance


Tweets @ HPSecurity