Application security is a significant challenge for any organization. The sheer number of application vulnerabilities makes traditional patch management processes unscalable and overwhelming. Minimizing enterprise risk requires a new approach, such as limiting vulnerability exploitability by implementing zero trust security via a solution like Secure Access Service Edge (SASE).
Half of Applications Contain Exploitable Vulnerabilities
Software is written by humans, and humans make mistakes. Therefore, it should not come as a surprise that software contains bugs and that some of these bugs are vulnerabilities that can be exploited by an attacker.
However, the scope of the problem may come as a surprise. A recent study found that over half of applications used in certain industries (including healthcare, education, and retail) have at least one exploitable vulnerability.
Most businesses use a variety of different applications as part of their daily business. If half of these applications have at least one exploitable vulnerability, then most organizations have a number of holes in their defenses that an attacker can take advantage of. In most cases, an attacker only requires a single vulnerability to gain access, and the research shows that an organization’s current attack surface provides a variety of options to choose from.
Vulnerability Management is a Significant Challenge
The widespread vulnerability of enterprise applications doesn’t come from a lack of interest in security. Many organizations want to secure their systems, but application security comes with a variety of challenges.
The best way to manage exploitable vulnerabilities within an application is to eliminate them by applying the associated patches. However, patch management can be complex and time-consuming as organizations need to identify required patches, test to ensure that they won’t break systems, apply them to vulnerable software, and test again to ensure that the patch was applied correctly and fix the system.
This process means that applying a single patch can be a significant time investment, and an organization may have dozens or hundreds of vulnerabilities within its systems. These can add up quickly and overwhelm already overburdened security teams.
Limiting Access Decreases Vulnerability Exploitability
It’s a cliche – but an actual fact – that three things are necessary to commit a crime: means, motive, and opportunity. The widespread exploitable vulnerabilities in applications provide cyber criminals with the means, and any cyber attacker has the required motive. If an organization wants to minimize its cybersecurity risk, a good area of focus is denying a potential attacker the opportunity to carry out an attack.
Minimizing opportunity requires the ability to limit access to potentially exploitable applications. This is where zero trust becomes a critical part of enterprise risk management.
Historically, many organizations have adopted a perimeter-focused, permissive approach to security. Anyone with access to the internal network is assumed to be trustworthy and granted full access, and all attacks are believed to come from outside so security is focused on keeping the outsiders out. Virtual Private Networks (VPNs) work on this model, where authenticated remote users are granted full access to the network.
Zero trust security models, on the other hand, provide access to networks, systems, and applications on a case-by-case basis. When a user requests access to a particular resource, the system applies access controls to determine if the request is authorized. If so, the user is granted access to only the desired resource and only at the requested privilege level (read only, read-write, etc.).
Implementing zero trust can help to minimize the impact of unpatched vulnerabilities within an organization’s applications. If an attacker cannot gain access to a particular resource, they lack the ability to exploit it. By restricting access based on the principle of least privilege, an organization dramatically decreases an attacker’s opportunities to exploit their vulnerable applications and systems.
Implementing and Enforcing Zero Trust Across the Enterprise
Adopting a zero trust security policy is a good first step, but it is useless if it is not enforced consistently across an organization’s IT infrastructure. If an attacker can bypass or circumvent access control policies – by taking advantage of inconsistent enforcement – then the zero trust policy is of limited utility.
For example, zero trust may be well-enforced on-premises but poorly enforced in an organization’s cloud-based infrastructure. If cloud-based applications have access to data and applications located on-premises, then an attacker may be able to compromise these applications and leverage their legitimate access to attack on-premises systems.
Consistent security enforcement requires a solution that operates the same in all environments. For this reason, implementing zero trust at the network level may be the best option. Since all traffic has to flow over the network, implementing policies at the network level ensures that the variety of endpoints in the average enterprise network does not create blind spots and enforcement gaps.
SASE provides organizations with the ability to easily and effectively implement zero trust across their entire IT infrastructure. Zero Trust Network Access (ZTNA) is a core capability of SASE, and the other built-in functionality ensures high-performance, secure network connectivity. The combination of built-in access control and deep traffic inspection that SASE provides is ideal for minimizing the risk associated with unpatched and vulnerable applications.