Application Security Assessments as Risk Management
Organizations face increasing cybersecurity attacks on their applications, systems, and networks, i.e., their assets (Wang et al., 2020). According to researchers, these cyber attacks exploit vulnerabilities and lead to “interruptions in online services, impaired corporate reputation, and ultimately financial losses” (p. 1). One way to address and mitigate cybersecurity attacks is to get an understanding of potential weaknesses in organizational assets and the risks they pose.
This article will discuss a particular type of risk assessment using anonymized information about an application. This security review of the application comes from a large entertainment company. It will show how such security reviews “support risk managers to prioritize risks, allocate restricted resources to alleviate them, and make further defence decisions” (Wang et al., 2020).
What is a Risk Assessment?
In cybersecurity, a risk assessment is a key component of an organization’s overall security program (National Institute of Standards and Technology, 2012). According to Landoll (2021), the security risk assessment can measure the strength of an organization’s overall security approach and program. The risk assessment process allows organizational leaders to make effective decisions about how to protect their assets (Wang et al., 2020). The National Institute of Standards and Technology (NIST) (2012) provides examples of these decisions: architectural development, how and when systems interconnect to non-organizational elements, security solution design and selection, and overall implementation of controls, among others.
Security Assessments at an Entertainment Company
Company X is a global entertainment and media company with a robust cybersecurity program designed to protect company assets and intellectual property and mitigate risks the company faces. One element of this risk management process is its Technical Security Testing (TST) program. This program conducts a full-spectrum review of applications that process or make use of Company X’s data and information, including both internal and external applications, i.e., those developed by outside vendors or partner companies. The security assessment process involves three elements: security architecture reviews, threat modeling, and manual security testing, or penetration testing.
Security Architecture Review
Company X’s use a security architecture review process to example the technological components of an asset to determine its architecture across three distinct areas: conceptual, logical, and physical. This allows the company to understand how the asset’s developers designed it (Wahe & Peterson, 2011). Specifically, Company X leverages a subset of the OWASP (2022) Application Security Verification Standard (ASVS) in the areas of asset documentation, asset development, authentication, data flows/business logic, cryptography/data protection, and asset logging.
Threat Modeling
Understanding the attack surface is knowing what parts of the asset are vulnerable and need to be tested, according to OWASP (2021). A key component of this analysis is creating a threat model. Analysts use the threat modeling process to “analyze potential attacks or threats, and can also be supported by threat libraries or attack taxonomies’’ (Xiong & Lagerström, 2019, p. 56). Company X analysts then collate each of these attacks into the larger picture, i.e., the attack surface of the asset.
Manual Security Testing
Manual security testing, or penetration testing, is a process that “examines systems using multiple attacks and attempts to find and exploit vulnerabilities using appropriate malicious input values that help to discover security bugs in implementation” (Al-Ahmad et al., 2019, p. 173525). Company X uses a mix of external resources, i.e. contractors and internally developed open source software, to conduct this work. Much of the penetration testing work Company X does flows from the previous steps.
Findings of a Security Architecture Review for Application A
In 2022, the TST team conducted an assessment of a Company X web-based application and discovered several issues across the security architecture domain and the manual security testing domain. Table 1 provides some details about these findings.
Table 1
Security Assessment Findings in Application A
Each finding in Table 1 has a finding category and a Common Weakness Scoring System (CWSS) score. The finding category allows the company to analyze trends across the range of its applications. The CWSS “provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner” (MITRE, 2018, para. 1). Company X uses these values to determine the severity of a particular finding because CWSS allows them to factor into aspects of the concern besides its purely technical nature. For example, while a finding such as number 4, Application Admin Username Enumeration, might be a high severity finding sometimes, TST scored it as a low severity finding because the environment Application A exists in is unreachable from outside the confines of Company X’s infrastructure. Severity is another way of stating the risk a particular finding presents to the organization.
Benefits and Drawbacks of This Approach
Benefits
As Landoll (2021) and Wang et al. (2020) note, the benefit of conducting a security assessment on Application A includes understanding how well the application is meeting the obligations the organization places on its assets. These obligations are both ‘the right thing to do’ (industry standards) and required by regulations or laws, depending on the organization. For example, US government agencies are required to conform to security standards from NIST and public companies are required to have internal controls for financial report under Section 404 of the Sarbanes Oxley Act of 2002 (Fischer et al., 2020). Security assessments, such as the process described above, satisfy these requirements and provide a holistic view of Application A from a security standpoint.
Drawbacks
The chief drawback to this security assessment approach is the reliance on repeatability. When conducted, the results of Application A’s assessment are a point in time evaluation of the security posture of the target. They only apply in the future if the application stays static; in the fast-moving world of information technology, that is unlikely to occur. Therefore, all assets should undergo periodic reviews to ensure they stay current in the face of changing threats and newly discovering vulnerabilities (Landoll, 2021). Company Xdoes this by requiring asset owners to submit for re-assessment whenever there is a material change in the asset.
Conclusion
Risk assessments are vital to understanding where issues within an organization exist. In cybersecurity specifically, a security assessment is a risk assessment of a particular asset. By using a holistic method that covers a wide spectrum of concepts, organizations like Company X can determine where gaps exist in an asset’s security posture. With this knowledge, the company can develop countermeasures to mitigate any exposure and address vulnerabilities.
References
Al-Ahmad, A. S., Kahtan, H., Hujainah, F., & Jalab, H. A. (2019). Systematic literature review on penetration testing for Mobile Cloud Computing Applications. IEEE Access, 7, 173524–173540. https://doi.org/10.1109/access.2019.2956770
Fischer, B., Gral, B., & Lehner, O. (2020). SOX section 404 twenty years after: Reviewing costs and benefits. ACRN Journal of Finance and Risk Perspectives, 9(1), 103–112. https://doi.org/10.35944/jofrp.2020.9.1.008
Landoll, D. (2021). The security risk assessment handbook: A complete guide for performing security risk assessments. Taylor & Francis Group.
MITRE. (2018, April 2). Common weakness enumeration. CWE. Retrieved June 17, 2022, from https://cwe.mitre.org/cwss/cwss_v1.0.1.html
National Institute for Standards and Technology. (2012). Guide for conducting risk assessments. Guide for Conducting Risk Assessments. https://doi.org/10.6028/nist.sp.800-30r1
OWASP. (2022, March 24). Application security verification standard version 4.0.3. OWASP Application Security Verification Standard. Retrieved June 17, 2022, from https://owasp.org/www-project-application-security-verification-standard/
Wahe, S., & Peterson, G. (2011). Open enterprise security architecture (O-ESA): A framework and template for policy-driven security. Van Haren.
Wang, J., Neil, M., & Fenton, N. (2020). A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model. Computers & Security, 89, 1–20. https://doi.org/10.1016/j.cose.2019.101659
Xiong, W., & Lagerström, R. (2019). Threat modeling — a systematic literature review. Computers & Security, 84, 53–69. https://doi.org/10.1016/j.cose.2019.03.010
