Application Risk Scoring

In modern software applications, the challenge of maintaining a strong security posture stems from more than just the sophistication and number of cyber threats in the world today. Many of today’s challenges come from the complexity of modern applications. Instead of predictable monolithic apps, modern apps are made up of tens or hundreds (or even thousands) of microservices and databases, creating a huge attack surface with an unmanageable number of dependencies. Adding to the complexity, distributed development teams are updating application code frequently, and many of these changes are pushed to production without full security reviews. Effectively prioritizing what to fix first is the greatest challenge for application security today.

With this backdrop, application risk scoring emerges as a crucial tool. Application risk scoring involves assessing vulnerabilities based on their likelihood, exploitability, and potential impact on the business. By assessing vulnerabilities in this light, security teams can properly prioritize their mitigation efforts, dedicating resources where it matters most.

In this post, we’ll explore the key concepts behind application risk scoring. We’ll provide a clearer understanding of risk scoring, discuss the role of Common Vulnerability Scoring System (CVSS) scores (and other scoring standards), and talk about what it means to integrate business and data flow context into your risk assessment. Finally, we’ll look at the role of application security posture management (ASPM) in scoring and assessing application risks.

Understanding risk in business and engineering contexts

In the business world, risk is an unavoidable reality. Businesses continually face potential losses in data, customers, finances, reputation, and intellectual property. For companies developing applications, this risk is amplified due to the dynamic nature of software. Frequent updates and changes through continuous integration/continuous delivery (CI/CD) and agile development introduce new vulnerabilities. Modern cloud-native applications further complicate the risk landscape.

To navigate these risks, businesses engage in continuous risk assessment. Security teams are tasked with mitigating threats that could have an impact on the business’s operations. Of course, prioritization here is key — by prioritizing threats, organizations can allocate their resources more effectively, ensuring they address the most pressing security challenges first. But how should businesses determine this prioritization?

Organizations need to understand the business functions of the applications — and the microservices that make up the applications — that they are responsible for securing. These questions can help determine where risks would have the most impact:

1. What does it do (i.e., what is the business function of each microservice and API)?
2. What data is at stake? Which microservices and APIs connect to or process sensitive data, such as personally identifiable information (PII), payment card industry (PCI) data, or protected health information (PHI)?

By assessing the criticality of each application component and the sensitivity of the data involved, an organization can focus on vulnerabilities that pose a real threat to its business continuity and competitive edge.

CVSS scores provide only a partial picture of risk

The CVSS is a widely recognized standard for assessing the severity of security vulnerabilities in software. Developed by the Forum of Incident Response and Security Teams (FIRST), CVSS scores are determined by analyzing various aspects of a vulnerability to quantify its potential impact. Scores range from 0 to 10:

• Low severity (0 to 3.9): Poses minimal risk, often requiring specific conditions to be exploited.
• Medium severity (4.0 to 6.9): More common and might be easier to exploit but typically does not lead to severe consequences.
• High severity (7.0 to 8.9): A significant threat, often allowing unauthorized access or control over affected systems.
• Critical severity (9.0 to 10): The most dangerous kind of vulnerability, usually allowing widespread exploitation with severe impacts like data loss, system downtime, or complete system takeover.

CVSS scores are often associated with Common Vulnerabilities and Exposures (CVEs). For example, the National Vulnerability Database (NVD) provides a CVSS score for every CVE in its listing.

Though CVSS scores provide insight into the severity of a vulnerability, it’s crucial to understand that severity is not a measure of exploitability.

Measuring exploitability and likelihood

Determining the exploitability of a vulnerability requires considering whether a component is internet-facing, its use (internal or external), and whether it requires authentication. Once the adversary’s ability to reach a vulnerability is determined, additional information helps determine if bad actors are targeting each weakness.

To dive deeper into the inner details of exploitability, let’s look at the Exploit Prediction Scoring System (EPSS) and ExPRT.AI.

The EPSS, also spearheaded by FIRST, provides a probability score indicating the likelihood of a vulnerability being exploited, and ExPRT.AI determines which vulnerabilities are leveraged by adversaries in the real world. Together, these metrics offer a more comprehensive view of risk than CVSS scores alone can provide.

Understanding the limitations of CVSS scores while simultaneously integrating application architecture, EPSS, and ExPRT.AI into risk assessment enables a more nuanced approach. This integration allows you to distinguish between the severity of a vulnerability and its exploitability in a specific business environment. However, comprehensive application risk assessment means taking into account another factor beyond severity and exploitability: criticality.

Taking business criticality into account

The risk a vulnerability poses to an application is also related to its potential impact on the business, or what is called business criticality. Assessing business criticality requires considering the following:

1. The business function of each microservice and API in the application’s architecture
2. The sensitivity of data flows

Whether a component processes highly sensitive data (PII, PHI, or data subject to PCI standards) can drastically alter the criticality of a vulnerability within that component. This approach moves beyond a one-size-fits-all view of vulnerabilities, allowing for a tailored risk assessment that reflects the unique aspects of each organization.

Tracking sensitive data flows through applications is challenging. First, each database should be audited for sensitive information. Next, the consumption of this data must be tracked through every application component. As data flows increase in complexity, this quickly becomes a difficult — if not impossible — process to complete manually.

Integrating business and data flow context into risk assessments ensures that the most critical vulnerabilities are prioritized, aligning cybersecurity efforts with the organization’s overall risk management strategy.

ASPM and application risk scoring

ASPM is a comprehensive approach to securing software applications. It encompasses risk-based scoring to identify which vulnerabilities have the greatest impact on the application and business and prioritize which to fix first.

ASPM tools use risk-based scoring to determine the priority of each vulnerability. This method involves analyzing all three factors discussed in this article: severity, exploitability, and business criticality of the affected application component.

By adopting a risk-based approach, ASPM enables organizations to focus their resources on the most significant threats, thereby enhancing their overall cybersecurity posture.

Conclusion

A risk-based approach using application risk scoring is essential for modern organizations seeking to navigate the cyber threat landscape amidst the complexity of their applications and the distributed nature of their teams. To be effective and efficient in resource usage, organizations must properly prioritize the risks that their applications face. This means assessing vulnerabilities based on their severity (taking into account the CVSS score), exploitability (taking into account architecture and ExPRT.AI), and business criticality.

CrowdStrike continues to demonstrate its leading role in the field of cybersecurity through its acquisition of Bionic, the pioneer of ASPM. As enterprises use the CrowdStrike Falcon® platform, they’ll also enjoy comprehensive risk visibility and protection from the integrated and leading ASPM solution from Bionic.

To learn more about the Falcon platform, register for an on-demand demo or contact us today.