You learn you have an application vulnerabilities because:
- a security assessment told you
- a penetration test told you
- an interested party told you, or
- the post mortem of an incident told you.
You want to install a vendor’s patch (in the case of a third party application) or update the code (in the case of an internal application) or change the configuration (when excessive privileges or unthrottled resource allocation is the issue). You will not be able to do this right away (no resources, regression testing takes times), and perhaps not at all (no source code).
What can you do?
- Shut down the application. Is the benefit of the application significant? Consider removing a vulnerable application which is of little value.
- Remove the vulnerable functionality of the application. Is the benefit of the application’s feature significant? For example, a web-based administrative interface can be convenient but administrators may have other methods. Consider removing a vulnerable feature of an application.
- Remove access to the functionality at the network layer. If it can’t be reached, it can’t be exploited (until someone makes it reachable).
- Remove access to the functionality at the application layer. It may still be reachable, but you will need certain credentials to exploit the vulnerability.
- Minimize the impact. For example, a SQL Injection vulnerability where the web application’s privileges are severely limited is of little impact. A file upload or download vulnerability which cannot overwrite important files is of little impact.
- Prevent exploitation. This is typically through a web application firewall. Use rules which permit only the expected input, don’t filter out the known bad example (the Proof of Concept).
- Detect exploitation. Perhaps this appears to be low risk, low probability. Watch and wait, at least know when the application is being exploited.
ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted. ThreadFix empowers managers with vulnerability trending reports that show progress over time, giving them justification for their efforts.