Did you know that enterprises have anywhere from a few hundred to several thousand applications running on thousands of assets across their networks? Do the math on those numbers, and you’re talking about a ton of application vulnerabilities inside your network! And this poses a significant threat. According to the 2017 Verizon DBIR, nearly 30 percent of all successful breaches utilize applications as the vector.
There are two major reasons why are there so many application vulnerabilities. First, if you’re a software developer, security isn’t likely your primary concern; instead, you need to focus on getting features out quickly. Second, the threat landscape is continuously evolving, with new vulnerabilities discovered every day, making it impossible to keep up with constant patch cycles.
Couple all of this with the growing cybersecurity skills gap, and you have yourself a “perfect storm” for bad actors. According to ESG’s 2018 IT spending intentions survey, 51 percent of organizations have a problematic shortage in IT cybersecurity skills that are required to deal with these realities. Further exacerbating the problem, the sheer volume of application security data is overwhelming, limiting an application security analyst’s ability to quickly identify, prioritize, and mitigate vulnerabilities. Even if the team is large, they simply can’t scale to test more than a small fraction of them. And the effort required to manage and measure the risk introduced by application layer vulnerabilities continues to increase year over year.
Application security teams have their hands full just gathering and analyzing the results from all of their various scanners, and while they know there is risk they simply don’t have the time, expertise, or context to find and remediate the relatively small percentage of application vulnerabilities that expose them to the most risk. As a result, they can’t prioritize what to fix first, so all too often they end up fixing the wrong vulnerabilities while dangerous applications continue to run. Or worse, they go into reactive mode and do nothing until an application is actually compromised.
Today, Kenna Security announced a solution to this critical problem that will help enterprises prioritize the application vulnerabilities that are most likely to lead to data breaches and other malicious attacks. The Kenna Application Risk Module is a scalable, cloud-based solution that enables organizations of any size to prioritize application vulnerabilities by risk. The module processes and normalizes all application security data, including static and dynamic scanners , penetration test results, bug bounty data, and open source scanners to help compute the relative risk score for each vulnerability, and then correlates that data with near real-time telemetry from existing Web Application Firewall (WAF) deployments to determine which vulnerabilities are being attacked.
This context empowers application security staff, DevOps, and developers to continuously, effectively, and proactively remediate the high-risk application vulnerabilities that are most important to them.
The Kenna Application Risk Module extends the capabilities of the Kenna Security Platform by applying the same data science to vulnerabilities at the application layer. By discovering and prioritizing application vulnerabilities and communicating the results to all application stakeholders, the Kenna Application Risk Module focuses the organization’s limited development and IT resources to reduce the most risk.