Measuring web application security is critical to the program’s success. Chief Information Security Officers (CISOs) and other professionals in charge of the program need data intelligence to monitor technologies, processes, and people managing the processes. The metrics also become significant in reporting the efficiency of a web application security program to the senior management members.
However, what is it that you should measure and monitor? What are the key indicators for the success of your web application security program? We bring you the most effective questions within three categories to establish a set of metrics for you and your team.
A vulnerability is a weakness that allows a hacker to breach your application.
At any given time, this is the most important piece of application security metrics that you should have. Whether you are using automated testing, penetration testing/ethical hacking or a combination of both, the report should highlight exposure in detail.
A more comprehensive view of these vulnerabilities will also emphasize the risk severity and business risks of each vulnerability.
You can start tracking some of these vulnerabilities with AppTrana Free Website Security Scan.
These figures will help you prioritize remediation action and decrease the exposure risks.
Find out about business risks in the OWASP Top 10 Vulnerabilities Playbook
Why: The number of vulnerabilities and their severity is directly proportional to the attack risk.
According to the Web Application Security Statistics Report, it takes fixing critical vulnerabilities takes 146 days on average. That’s five months for hackers to try different attack methods. Can you really afford that?
If you are missing the age in the vulnerability testing reports, chances are that they will stay there for weeks, even months. How long has it been since a given vulnerability was first discovered? You need to fully understand the business impact of Critical, High and Medium loopholes and ensure that they are remediated or protected through a Web Application Firewall.
Why: Without patching or protection, attackers get time to try out various exploitation methods.
The rapid rate of application development and updates often lead to an increase in vulnerability data. While you are struggling to keep up with the old issues, there are chances that new releases bring in new, even more, severe issues within the application.
The number of new vulnerabilities is a key application security metrics, especially with new releases and updates. It helps security professionals make informed decisions of making the new application version secure.
Why: Number and severity of new vulnerabilities help CISOs monitor recent risks.
It takes 146 days to fix a critical vulnerability. Will the hackers wait to exploit? If your team really pushing the fixes proactively?
For most new-age companies, time to fix reported vulnerabilities is a headache. Even critical ones can stay in the software for weeks. With this app security metric in place, companies can start focusing on lowering the fixing time frame, especially if you are not behind any virtual patching and hack prevention.
Why: High average fixing time highlights open risks days and allows tracking patch development efficiency.
Some security loopholes are exclusive to your business. These are business logic vulnerabilities that arise due to logical flaws in the business function or flow. Since no automated tool will know about your business flow, they will not detect these vulnerabilities either.
New-age business and cloud companies should look for comprehensive vulnerability testing, which also deals with the logical flaws of the business. Ideally, it should combine frequent automated testing with manual penetration testing by security experts. Business logic vulnerabilities should be resolved at the earliest.
Why: Business logic vulnerabilities are critical and should be fixed on priority.
Category: Attack Intelligence
An intelligent web application firewall not only blocks the attack but also studies traffic and attack vectors to assimilate patterns and behaviors. For instance, AppTrana is designed to sync data between web application scanning and firewall to learn about exploitation attempts. If a single vulnerability is targeted repeatedly, it not only blocks those attempts, it also alerts the security team and customer about the attempts.
Why: Frequent attack on a vulnerability denotes that hackers know about the issue and are just finding ways to crack it.
Do you know which are the most attacked pages of your site? Look at these three pieces of information and tell us which one makes more sense.
a) Your website was attacked 53 times last month.
b) Hackers attempted to exploit vulnerability on Page A (23 attacks), Page B (20 attacks), and Page C (10 attacks).
The second one is, without a question, a more intelligent insight that will lead to actions. For instance, Page C is our payment gateway and requires immediate attention. Keeping an eye on URI metrics is essential in prioritization.
Why: Important URIs take precedence in risk remediation for their business impact.
Going a step deeper, wouldn’t it help if you have the attack number separated by country and IP addresses? The next generation of attack intelligence will not only tell you about attacks but also where they originate from.
Why: Certain IP sets or country can cause huge damage to your business. Identify them proactively.
Zero-day vulnerabilities have notoriously caused data breaches. A zero-day means it’s zero-days from when anyone knew about it, so no one’s fixed it.
So, if there is no patch, how do you prevent attacks? The only way to consistently prevent such breaches to your web applications is to get into the mind of a hacker, profile their behavior, and track their intent before they’ve attacked.
You should have readily available data on how many zero-day vulnerabilities were found on the website and how they were protected. Indusface sends a weekly report to all its customers along with a publicly available zero-day report every month.
Why: No business can prepare against zero-day attacks. Ensure that you have proactive protection.
Category: Threat Analytics and Self Learning
Most security professionals are busy dealing with issues as and when they see them. This includes periodic testing, patching when required and dealing with DDoS when there’s an outage. However, the future of application security is in round-the-clock hack prevention.
Machine-learning and expert intelligence has changed everything. Collecting, monitoring, and analyzing past threats will help your security team develop patterns and to create protection against future threats.
Why: Numbers and patterns from previous attacks help ensure protection in the future.
An extensive studied, and the labeled database is the cornerstone of web application security metrics. How difficult would it be to stop the DDoS attack if you already know that the attacking IPs are of ill repute? Would it really take any time to block them all?
While this is a difficult process to manage in-house, managed security providers can help. For instance, AppTrana collects data from its 900+ customers and uses it as a standpoint to define, categorize and label identities based on several red flags.
Why: Studied attack patterns and behavior help build future blocking and protection policies.
Keeping your application security is a team effort. Although it is a long-term process, you can start today by getting the right numbers and asking the right questions.
Build your foundation on these three things.
Having trouble with these numbers? Sign up for AppTrana for Free to get your own managed security team to help set up continuous hack prevention.
Or you can start with AppTrana Free Plan to at least detect the basic vulnerabilities before hackers discover and exploit them.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.