IBM Support

How to identify security vulnerabilities within an application, impacts and remediation.

Technical Blog Post


Abstract

How to identify security vulnerabilities within an application, impacts and remediation.

Body

Author: Manisha Khond, IBM Cognitive Engagement, Watson Supply Chain.

 

A security vulnerability in an application is a weak spot that might be exploited by a security threat.

Risks are the potential consequences and impacts of unaddressed vulnerabilities.

 

Impact of security breaches:

Security breaches affect organizations in a variety of ways. They often result in the following:

  • Loss of revenue
  • Damage to the reputation of the organization
  • Loss or compromise of data
  • Interruption of business processes
  • Damage to customer confidence
  • Damage to investor confidence
  • Legal Consequences -- In many states/countries, legal consequences are associated with the failure to secure the system—for example, Sarbanes Oxley, HIPAA, GLBA, California SB 1386.
  • Security breaches can have far-reaching effects. When there is a perceived or real security weakness, the organization must take immediate action to ensure that the weakness is removed and the damage is limited.

 

Security Risk Management processes:

  • Identify security threat (Information Disclosure, Denial of Service, and Tampering with data)
  • Analyze & Prioritize Security Risks
  • Develop Security remediation (fix, configuration changes, apply security patches etc)
  • Test Security Remediation
  • Reassess the security vulnerability after changes to an application like patch application or upgrade to higher version.

 

What are the sources to identify security vulnerability within an application?

  • National vulnerability database https://nvd.nist.gov/
  • Common Vulnerabilities and Exposures https://cve.mitre.org/
  • Vendor website Security Bulletin
  • Security scan of an application using third party tools.
  • Application testing and observations
  • Regularly monitoring security vulnerabilities in related applications or environments (Operating System, Database, Third party libraries etc).

 

National Security Database:

NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).

 

Common Vulnerabilities and Exposures https://cve.mitre.org/

 

Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities.

CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

The MITRE Corporation maintains CVE and this public Web site, manages the compatibility program, oversees the CVE Naming Authorities, and provides impartial technical guidance to the CVE Editorial Board throughout the process to ensure CVE serves the public interest.

 

Security Bulletin

Published on vendor website.

 

Application scan using third party tool for security vulnerability.

  • HP Fortify WebInspect
  • IBM Security AppScan
  • TripWire WebApp360
  • Rapid7 AppSpider

The security scan tool provide the security vulnerability report which identifies:

  • Prioritizes the security vulnerability (Low, Medium, High, critical).
  • Classify the security vulnerability (Cross Site Scripting, SQL Injection Detection, Encryption not enforced).
  • Details the vulnerability identifying web pages affected by the vulnerability.
  • Suggest the solution.

 

Application Testing/observations.

 

How would customer remediate the security vulnerability?

No matter how you detect the security vulnerability, customer should get the security vulnerability assessed by their security team.

If the security team confirms that it is security threat to the product, open the ticket with IBM detailing the security vulnerability and supporting documentation.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Do you have questions on this blog?

Please post your questions via comments.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

UID

ibm11120761