In a new webcast, Shift your Application Security Program into Overdrive, Michael Goldgolf of WhiteHat Security and Arpit Joshipura of Prevoty discuss the strains of time-to-remediation on vulnerability management and how to address gaps. The novel solution might surprise you.
The deal with vulnerability management
Application and security and development teams are stuck in a codependent hierarchy of unmet needs, often remaining exposed at runtime for hundreds of days while they assess which vulnerabilities to remediate and in what order (from highest to lowest risk) and deploy resources to fix them. Some of the details:
Only 3% of the IT security budget is invested in the application layer even though a majority of attacks originate there, resulting in a sore lack of dedicated resources.
Hackers exploit vulnerabilities introduced not only in the design and architecture phases but also at runtime, using malicious inputs to distort the expected behavior of the application during execution.
Customers take on average 150 days to fix one single vulnerability. Most lack remediation resources to fix all of them in a timely fashion.
3-5 days a week are spent tuning and maintaining security solutions and policies for existing applications, as opposed to proactively fixing core vulnerabilities and ensuring secure coding for new ones.
Building on SAST/DAST technology with Runtime
Scanning tools in the modern arsenal have clear strengths:
Modern static application security testing (SAST) tools work extremely well for constantly scanning code for apps in development. It's far less expensive to fix a vulnerability earlier in the process, and these tools promote early-detection and cost savings.
For apps in production, it gets trickier. (Especially for outdated legacy code that is harder to support.) Dynamic application security testing (DAST) does an excellent job of identifying vulnerabilities, but you must work against a ticking clock to fix or block them.
What if there was a way to neutralize the risk while you prioritize and assign resources to remediation? In this webcast hosted by WhiteHat Security, viewers walk through a more prescriptive, cost-effective approach that shows how testing and RASP -- when used together -- can mitigate vulnerabilities already out in production.
There are many benefits of using this joint approach, but the most impressive might be the fact that you can simultaneously detect and mitigate application vulnerabilities in real-time, making it easier to understand true runtime risk and "keep the lights on" while the DevSecOps cycle runs.