For the average home, the front door is likely the most heavily fortified entry point and, therefore, the hardest to compromise. Similarly, it is a natural inclination to rank applications by perceived risk and then concentrate application security testing on those applications with the highest risk. However, the days when an organization only tests its high-risk applications are over.
Your adversaries know your front door is likely well protected, so they avoid the complications and look for an alternative way in. Perhaps the basement window that is out of sight and more easily breached.
It is the same with applications. Adversaries know that high-risk applications will be hardened against attack and tested for vulnerabilities. Adversaries have therefore adopted a “penetrate and pivot” technique gaining access through applications perceived to be of lower risk and pivoting to their high-worth targets. This means organizations are taking a huge gamble when they limit application security testing to high-risk applications only. This truth was hammered home in 2014 by multiple high-profile breaches where the entry points were applications perceived to be low profile and low risk.
The lesson is clear: organizations must test their entire application portfolio or risk the consequences.
Tradecraft like privilege escalation using IDs and passwords obtained from the low-risk applications has been at the heart of some of the highest profile breaches in the past twelve months. In one instance, it was a web site used by the company’s foundation for a fundraising road race that provided the penetration point. Taken a step further, breaches of low-risk applications are less likely to be detected, because of the lack of continuous oversight. This provides the adversary plenty of time to make the pivot.
Companies must ensure the breadth of their entire application portfolio gets tested with the proper blend of rigor, frequency, and efficiency.
To make this practical and cost effective, the testing program must be flexible to match the depth of testing to the risk level of each application. It must also empower the organization to pivot to address changing business requirements and evolving threats.
Every web-facing application can and will be used as an entry point into an organization. The ultimate goal is to eliminate testing gaps that provide the adversary the penetration points they seek.