Editor’s Note: This is the third serialized blog based on our recently published Security Guide: 5 Steps to Get Ahead and Stay Ahead of Application Vulnerabilities. You can also download the entire guide here. In each section of this guide we cover Key Questions, Challenges faced by organizations, and how AppSOC addresses these challenges.
Key Questions
- How widespread is the problem?
- Where is this vulnerability in our code?
- What techniques can be used to exploit this weakness?
- Did this enter through our software supply chain?
Challenges
Consolidating and cleaning up security data is a good first step, but you also need to connect the dots. With any security issue an application security manager needs to slice and dice the data in multiple ways and analyze your risk at multiple levels. You also need to correlate related activities that may indicate a broader attack with coordinated tactics. Gartner summarizes the need for correlation and how ASPM tools can help:
By correlating data about specific vulnerabilities from the perspective of different tools and grouping data from disparate tools related to a specific application, ASPM can deliver a comprehensive view of the application’s overall security stance. While individual groups can maintain a view of data relevant to their roles and responsibilities, it is also possible to view status in a way that makes sense to line-of-business managers and others who require a broader perspective.
Gartner, Inc., Innovation Insight for Application Security Posture Management, 2023
The Difference Between Vulnerabilities and Weaknesses
While the term vulnerability is often used as shorthand for any software bug, there are differences between specific vulnerabilities, and broader types of weaknesses that can be exploited by vulnerabilities, misconfigurations, and other issues. There are two different databases that track these, and an important part of effective correlation is to cross-reference them.
The Common Vulnerabilities and Exposures (CVE) program is a database of vulnerabilities that have been identified for specific application code bases and open libraries. CVEs are quantitative, referring to specific instances of software flaws that have been discovered and reported in real-world applications.
The Common Weakness Enumeration (CWE) is a list of weaknesses in software that can lead to security issues. CWEs are qualitative describing broad types of vulnerabilities based on their nature and structure, like SQL Injection or Buffer Overflow, without tying them to specific instances.
Understanding Application Hierarchy
Knowing you have vulnerabilities is not useful unless you can quickly track them to specific lines of code. But modern applications are built increasingly with shared open-source libraries, microservices that are the building blocks of core processes, applications themselves, and the hosts they run on.
The Software Supply Chain Wildcard
Major attacks on supply chains have raised an urgent need to monitor and understand the software bill of materials (SBOM) for every application and component. A vulnerability in a widely used library, such as Log4j, can cause alerts across your stack, and needs to be quickly traced back to the source.
Best Practices for Vulnerability Correlation
To meet these challenges, an ASPM solution must provide intelligent correlation of data across multiple axes, including:
- Correlating specific vulnerability CVEs to broader attack techniques, catalogued in CWEs. Without this context, it’s difficult to understand their potential impact or vulnerability remediation strategies.
- Mapping issues to your application and organizational hierarchy including shared libraries, microservices, applications, hosts, and business units. This can dramatically reduce noise and make remediation more efficient.
- Drill-down, Roll-up: ASPM solutions require sophisticated and flexible UIs that can identify issues at any level, drill down to specific details, and roll-up data to highlight the bigger picture for an organization.
- SBOM Visibility: the solution needs to identify supply chain vulnerabilities, and quickly show how shared libraries and services map to your application structure.
How AppSOC Connects the Dots
AppSOC solves the correlation challenge with detailed visibility and granular control over where vulnerabilities occur, which are related by common attack techniques, and where these fit in your application hierarchy. This approach enhances security analysis by providing a comprehensive view of application security.
Correlating CVEs and CWEs
AppSOC goes far beyond relying on base CVSS scores (see Step 3) provided by most security tools. The platform provides direct lookups and correlations between CVEs and CWEs, mapping them to types of attacks and grouping multiple vulnerabilities reported by Shift-Left (DevOps) scanners, or right side (operational) security tools.
Understanding Application Hierarchy
With the thousands of vulnerability and issues that bombard security teams, it’s critical to quickly pinpoint where they occur and what they might affect. To do this effectively, you first must look at the application hierarchy. This is crucial for effective vulnerability management within DevSecOps frameworks.
AppSOC understands your application structure and maps all security issues from top to bottom of your application stack. This starts from the top with:
- Business Units
- Hosts
- Applications
- Microservices
- Libraries
- Individual findings
Using this knowledge, the application can connect the dots about where vulnerabilities occur, what components are affected, and how many related instances are found across applications, hosts, and business units.
Drill-Down, Roll-Up
With its intuitive user interface, AppSOC makes it easy to drill down, and pinpoint the source of specific issues, and roll-up findings across broader groups to determine impact. AppSOC also includes both Executive and Technical Dashboards to help both teams identify trends, remediate issues and track compliance.
Cumulative Score
A vulnerability in a library or microservice may occur hundreds of times, potentially drowning out other signals and overwhelming analysts.
For example, a vulnerability in a commonly used library, like Log4J might show up in hundreds of places across your application stack, drowning out less frequent vulnerabilities. Rather than simply adding scores from top to bottom, AppSOC uses a logarithmic scale to compress the data spikes, while clearly illuminating the bigger picture.
Monitoring Supply Chain Issues
Painful supply chain attacks like SolarWinds and Log4J showed that even the most secure organizations can be crippled by vulnerabilities embedded in their code by third parties.
AppSOC is unique in the ASPM space, building a Dependency Tree for any application, that visually shows the relationship between applications, microservices, and shared libraries.
This helps to quickly identify relationships, and how specific vulnerabilities at any level will impact your code structure.