Vulnerability management sits at the core of many security programs, but today’s threat landscape has made it even more important to extend protections to the web application layer. In this week’s Whiteboard Wednesday, Tim Honker, Sr. Solutions Engineer at Rapid7, outlines the fundamental differences between traditional vulnerability management and managing vulnerabilities as part of an application security program.
Hi, and welcome to Whiteboard Wednesday. I'm Tim Honker, a Senior Sales Engineer here at Rapid7, and today I'm going to talk to you about the difference between vuln management and application security.
In vuln management, it is the vendor's responsibility to write patches for vulnerabilities in your IT infrastructure. Once you have those patches, then your IT team pushes them out. These specific vulnerabilities are discovered by third party researchers and are uniquely identified by CVE or Common Vulnerabilities and Exposures. CVEs are a specific instance of a vulnerability, such as a remote code execution in Adobe Acrobat 7.2. However, these days, every single company is now a software company because everyone's making their own interactive websites. When the developers write the code, they make mistakes sometimes in these large complex websites, and that's what leaves you vulnerable. With AppSec, it's your organization's responsibility for the developers to write the patch for your homegrown applications.
CWEs are general categories of vulnerabilities that haven't been discovered yet, like the ones on your company's website, such as SQL injection. CWEs require a completely separate remediation process, where your company's developers will need to fix their own source code. There are a few different ways you can find CWEs. First of all, you can skim the source codes to look for vulnerabilities using SAST tools. This is a lot like getting a DNA test to determine which disorders you might have. You can also attack the live application and attempt exploitation in a manual or automated way, and this is usually done with pen tests or DAST tools. DAST tools are a lot more like having an MRI scan, where you can look for direct evidence of a tumor or a disorder. The newest option out there is RASP, where you monitor the application and its traffic. Some RASP tools can detect and block malicious traffic. RASP tools are the equivalent of hooking yourself up to an EKG to monitor for indicators of a disease or disorder.
Since you're the first person to discover these CWEs on your website, it's a lot harder contextualize the business risk. You can detect or block exploitation of CWEs on your website using a web application firewall or a RASP. To summarize, application security is your company's fault and it's your responsibility to fix it for your public facing website. In vuln management, it's another company's job to release the patch, and it's your job to release it to your IT infrastructure. There is a consistent risk with VM and an inconsistent and more difficult risks associated with application security.
That's it for this week's Whiteboard Wednesday. I'll see you next week.
