SANS Critical Control 6: Application Software Security

Another very important area of an organization’s security program is its application security roadmap. We all know that web and mobile applications are most of times the weakest link in the security “chain”.

Furthermore, implementing security controls early on in the System Development Life Cycle (SDLC) is really hard and requires investments in secure coding for developers.

On an ongoing security vulnerability management program for web and mobile applications  is an essential piece of the overall security lifecycle to prevent such targeted and pervasive attacks such SQL injections, Cross-Site Scripting, Remote Command injections, and Cross-Site Request Forgeries, to name only a few.

SANS Critical Control Number 6 speaks about Application Software Security, including:

“Step 1: Web application firewalls protect connections to internal web applications;

Step 2: Software applications securely connect to database systems;

Step 3: Code analysis and vulnerability scanning tools scan application systems and database systems.”

Web application security testing and dynamic analysis is one of the specialities of Unified VRM. The SaaS solution is capable of:

  • Mapping, Spidering and Testing Web and Mobile applications for OWASP Top 10 Vulnerabilities. The spidering and the fault injection phases are the two powerful phases used to find vulnerabilities in sophisticated web applications. Unified VRM also allows to perform manual spidering of the web applications using an on-demand proxy collecting injection points that are then used for injection later on in the process. Unified VRM also has an auto-sensing technology capable of detecting login forms and session token in order to maintain the authenticated status in sophisticated web applications.
  • Unified VRM is capable of generating on-the-fly rules for a number of Web Application Firewalls (WAF) providing virtual patching capability able to block on their track attacks directed at those vulnerabilities while developers work on fixes.
  • Providing web application, web server and operating system vulnerability management and penetration testing capabilities, Unified VRM is able to correlate vulnerabilities at the application, operating system and database level providing full visibility to the web application stack in terms of security threat vectors.
  • Providing also penetration testing and web application vulnerabilities automated verification for SQL injections, Command Execution and Directory Transversal, Unified VRM not only prioritize vulnerabilities for the customer, but allows to provide Proof of Concept exploitation, in order to prove that the vulnerability is indeed exploitable.