Application Security Prioritization Schema
In today’s IT ecosystem, big multinational organizations have tens if not hundreds of web applications. It’s usually not possible for global organizations to know the technical specification (security) for all their web applications around the world. According to National Vulnerability database, i.e. NVD, in last 4 years the number of vulnerabilities have been more than 5000 per year. So with hundreds of web applications, more than 5000 vulnerabilities per year and not all technical specification known, it can confusing to decide which application to fix first. So, organizations need framework to prioritize applications which have biggest impact on their business due to vulnerabilities without knowing all the technical details.
The Merck Group has products in health care, Life Science and Performance Materials. The thesis presents a framework called Application Vulnerability Business Impact Framework, i.e. AVBIF. This framework is developed for Merck KGaA which has products in health care, Life Science and Performance Materials. The AVBIF encourages development of ISMS and abstracts the unknown that is technical details by using template based approach. The AVBIF considers the business impact factor in the calculation for severity of vulnerability making the framework sensitive to the business impact. It also considers vulnerable applications exposing other applications which share data, location or login (SSO). Thus the severity rating an organization will get for its applications will be based not only on the severity of the vulnerability but also the impact on the business if the vulnerability is exploited in the web application.
- Sheikh Mahbub Habib (sheikh(a-t)tk.tu-darmstadt.de)
Forschungsgebiete: CYSEC, Telecooperation