Imagine you’re inside a burning building. Fire alarms are going off in every room. You’re standing in the hallway with a fire extinguisher. You have to put out the fires. Where do you start?

This is the situation many teams face when securing applications in the cloud. As cloud adoption grows and cloud applications increase, there is a higher likelihood of critical issues in those applications that could put your business at risk. Security and engineering teams must determine which issues pose the greatest threat. You may have a thousand code vulnerabilities or misconfigurations affecting your cloud applications, but which is the most urgent to fix?

The cloud accelerates application development and delivery and legacy security approaches are keeping pace. Instead of solely focusing on infrastructure-related exposures, security teams must adopt a business-centric approach to assessing risk so they can identify, prioritize and mitigate the most dangerous problems. They must also pair risk mitigation efforts with preventative controls that stop targeted attacks and advanced threats.

More Noise Than Signal

In the fire analogy described above, the blaring alarms don’t indicate which rooms must be visited first. Similarly, without risk-based vulnerability prioritization, security teams are distracted by the “noise” of many cloud application vulnerabilities — with no signal indicating which poses the greatest risk. Using outdated approaches to discover and evaluate CVEs and misconfigurations may mean the most pressing issues are lost in the chaos.

The legacy approach to prioritization has involved the use of the Common Vulnerability Scoring System (CVSS), which applies a severity score to CVEs so teams can address the most critical vulnerabilities. However, the CVSS isn’t granular enough to differentiate benign CVEs from those that will have a direct business impact.

While CVSS scoring and code reviews are helpful, they are reactive. For example, vulnerabilities in a micro-service that doesn’t access customer/critical data or one that has a countermeasure for certain types of exploits could be prioritized lower. Security teams need tools to proactively prioritize risk and make informed decisions about which fires to put out first.

Risk-based prioritization is essential for organizations to make informed security decisions and determine which issues to fix. However, there are no tools on the market that provide adequate context for automated risk assessment, prioritization and remediation. Some identify CVEs and their severity; however, they don’t provide businesses with context for these vulnerabilities or determine which are most important to a specific environment. As a result, security teams are forced to slowly work through the list as more issues inevitably arise.

Tuning in to Business risk

Business context is critical. It’s easy to understand, for example, a CVE in a payment application is a high priority. Whereas, the same CVE in a search application is low priority. Security programs must also take this into account. Effective security paradigms understand which detected vulnerabilities have the greatest business impact, so security teams aren’t spending time prioritizing lower-risk vulnerabilities.

Traditional security applications run tests on code before it’s pushed. While this pre-production testing is still a best practice, it misses how code interacts with the environmental variables, configurations, and sensitive data it will coexist with once deployed. This insight is essential when you’re working to understand how a cloud-native application will function when live.

Technologies such as application security posture management (ASPM) facilitate a more proactive approach by automating security review processes in production and creating a live view of an application, its vulnerabilities, and business risks. ASPM provides visibility into what’s happening in the cloud, giving security teams a better understanding of application behavior and attack surfaces so they can prioritize appropriately. Understanding business risk empowers CISOs to provide a comprehensive picture of the business’ cloud security posture, which will help teams detect, prioritize and remediate threats to stop cloud and app-related breaches.

What Should be Prioritized

When prioritizing vulnerabilities, ask yourself: “What’s the threat? What’s the business impact?” We typically find the following areas take priority:

• Business-critical features in applications. Anything that generates revenue directly impacts the business and must be prioritized. This includes payment systems, microtransactions and memberships. In other words, anything in the pipeline between the customer and revenue.
• Payment card industry (PCI) data. A subset of the above, PCI data should be protected at all costs. Credit card numbers and other payment information are valued among cybercriminals seeking to exploit vulnerabilities, and a breach in this realm can cost your business dearly.
• Personally identifiable information (PII). Your customers’ data is your responsibility. Unfortunately, this data is among the most valued. Any potential vulnerability in this area should be a high priority.
• Protected health information (PHI). Medical records and histories are not only connected to privacy concerns but also compliance. Any vulnerability in the PHI space is a grave concern and could have a deep impact on the business if exploited.

There will always be new and different vulnerabilities. With a mature approach to cloud security, you gain a more productive view of the vulnerabilities that will have the deepest impact on your business. This allows you to deploy resources to protect your bottom line.