LATEST INTELLIGENCE
TRIAGING THE ENTERPRISE
FOR APPLICATION SECURITY
ASSESSMENTS
PRESENTED BY
C
onducting a full array of security tests on all
applications in an enterprise may be infeasible
due to both time and cost. According to
the Centre for Internet Security, the purpose of
application specific and penetration testing is to
discover previously unknown vulnerabilities and
security gaps within the enterprise.
Download whitepaper here
These activities are only warranted after an
organisation attains significant security maturity,
which results in a large backlog of systems that
need testing. When organisations finally undertake
the efforts of penetration testing and application
security, it can be difficult to choose where to begin.
Computing environments are often filled with
hundreds or thousands of different systems to test
and each test can be long and costly. At this point
in the testing process, little information is available
20
INTELLIGENTCIO
about an application beyond the computers involved,
the owners, data classification, and the extent to
which the system is exposed. With so few variables,
many systems are likely to have equal priority. This
paper suggests a battery of technical checks that
testers can quickly perform to stratify the vast array
of applications that exist in the enterprise ecosystem.
This process allows the security team to fo cus efforts
on the riskiest systems first.
Introduction
In mature enterprises, application security
and penetration testing programs exist to find
vulnerabilities in internally developed applications
and the complex interactions between systems
(Scarfone et al, 2008). Both programs should be
integrated with the Secure Development Lifecycle
(SDL) to prevent vulnerabilities in internally developed
www.intelligentcio.com