Intelligent CISO Issue 03 | Page 15

latest intelligence TRIAGING THE ENTERPRISE FOR APPLICATION SECURITY ASSESSMENTS C onducting a full array of security tests on all applications in an enterprise may be infeasible due to both time and cost. According to the Centre for Internet Security, the purpose of application specific and penetration testing is to discover previously unknown vulnerabilities and security gaps within the enterprise. These activities are only warranted after an organisation attains significant security maturity, which results in a large backlog of systems that need testing. When organisations finally undertake www.intelligentciso.com | Issue 03 the efforts of penetration testing and application security, it can be difficult to choose where to begin. Computing environments are often filled with hundreds or thousands of different systems to test and each test can be long and costly. At this point in the testing process, little information is available about an application beyond the computers involved, the owners, data classification, and the extent to which the system is exposed. With so few variables, many systems are likely to have equal priority. This paper suggests a battery of technical checks that testers can quickly perform to stratify the vast PRESENTED BY DOWNLOAD WHITEPAPERS AT: WWW.INTELLIGENTCISO.COM/ WHITEPAPERS 15