NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
Security Team Intelligence

SANS Critical Control 6: SANS Application Software Security

Another very important area of an organization’s security program is its application security roadmap. We all know that web and mobile applications are most of times the weakest link in the security “chain”.

Furthermore, implementing security controls early on in the System Development Life Cycle (SDLC) is really hard and requires investments in secure coding for developers.

On an ongoing security vulnerability management program for web and mobile applications  is an essential piece of the overall security lifecycle to prevent such targeted and pervasive attacks such SQL injections, Cross-Site Scripting, Remote Command injections, and Cross-Site Request Forgeries, to name only a few.

SANS Critical Control 6 speaks about Application Software Security, including:

“Step 1: Web application firewalls protect connections to internal web applications;

Step 2: Software applications securely connect to database systems;

Step 3: Code analysis and vulnerability scanning tools scan application systems and database systems.”

Web application security testing and dynamic analysis is one of the specialities of Unified VRM. The SaaS solution is capable of:

  • Mapping, Spidering and Testing Web and Mobile applications for OWASP Top 10 Vulnerabilities. The spidering and the fault injection phases are the two powerful phases used to find vulnerabilities in sophisticated web applications. Unified VRM also allows to perform manual spidering of the web applications using an on-demand proxy collecting injection points that are then used for injection later on in the process. Unified VRM also has an auto-sensing technology capable of detecting login forms and session token in order to maintain the authenticated status in sophisticated web applications.
  • Unified VRM is capable of generating on-the-fly rules for a number of Web Application Firewalls (WAF) providing virtual patching capability able to block on their track attacks directed at those vulnerabilities while developers work on fixes.
  • Providing web application, web server and operating system vulnerability management and penetration testing capabilities, Unified VRM is able to correlate vulnerabilities at the application, operating system and database level providing full visibility to the web application stack in terms of security threat vectors.
  • Providing also penetration testing and web application vulnerabilities automated verification for SQL injections, Command Execution and Directory Transversal, Unified VRM not only prioritize vulnerabilities for the customer, but allows to provide Proof of Concept exploitation, in order to prove that the vulnerability is indeed exploitable.
Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.