Intelligent CIO Middle East Issue 32 - Page 20

LATEST INTELLIGENCE TRIAGING THE ENTERPRISE FOR APPLICATION SECURITY ASSESSMENTS PRESENTED BY C onducting a full array of security tests on all applications in an enterprise may be infeasible due to both time and cost. According to the Centre for Internet Security, the purpose of application specific and penetration testing is to discover previously unknown vulnerabilities and security gaps within the enterprise. Download whitepaper here These activities are only warranted after an organisation attains significant security maturity, which results in a large backlog of systems that need testing. When organisations finally undertake the efforts of penetration testing and application security, it can be difficult to choose where to begin. Computing environments are often filled with hundreds or thousands of different systems to test and each test can be long and costly. At this point in the testing process, little information is available 20 INTELLIGENTCIO about an application beyond the computers involved, the owners, data classification, and the extent to which the system is exposed. With so few variables, many systems are likely to have equal priority. This paper suggests a battery of technical checks that testers can quickly perform to stratify the vast array of applications that exist in the enterprise ecosystem. This process allows the security team to fo cus efforts on the riskiest systems first. Introduction In mature enterprises, application security and penetration testing programs exist to find vulnerabilities in internally developed applications and the complex interactions between systems (Scarfone et al, 2008). Both programs should be integrated with the Secure Development Lifecycle (SDL) to prevent vulnerabilities in internally developed