Today, Verizon Business announced the Verizon Application Security Program, aimed to help organizations better prioritize their security efforts in a time of increasing and varied threats.
Earlier this year, Verizon’s Data Breach Investigation Report found that data taken from servers accounted for 94 percent of all records lost in breaches that Verizon’s (NYSE: VZ) RISK team had investigated.
While companies understand the need to fix the flaws, IT departments lack resources. “The goal of the Application Security Program is to provide a risk-based approach to help protect the security of business-critical applications,” Omar Khawaja, Verizon Business Global Services product manager, told InternetNews.com.
The program is designed to locate and secure the important applications. “Customers are saying, ‘don’t tell me five things to do on every application. Help me on decision support. Help me find out on which applications it would behoove me to spend the most resources,'” Khawaja said.
Three tiers for security
The program consists of three sets of scans, each of which is applied to a smaller number of applications. The first level, the baseline, is applied to all applications. In this part of the program, Verizon Business determines the dollar value of the data an application handles, the threat of compromise to the application, and its risk on the network.
In addition, Verizon Business conducts a software development life cycle (SDLC) review to ensure that developers are incorporating security into applications.
The second level, assessment, consists of a variety of tests, each of which is applied to a smaller number of applications.
The third level is certification, which is applied only to the most vital and most at-risk applications. It provides an enterprise with a Verizon Business Certified logo for their customer-facing or partner-facing applications.
Clean and repeat
The program is subscription based, and includes regular network and application scans, some of which are annual and some of which can happen as often as every month. Pricing was not disclosed and depends on a variety of options.
“Many customers tell us they cannot afford 50 complete application vulnerability scans,” said Khawaja. “But they do have $500,000 to spend on application security.”
“With this framework, we can have an intelligent discussion,” he added. “We can provide decision support around the use of limited resources so that they achieve the greatest impact for every dollar spent.”
An extra benefit of having a regular security scan is that in addition to improving security, it delivers compliance. For example the PCI 6.6 standard allows enterprises to choose between a regular application vulnerability assessment (as offered by the Verizon Application Security Program) or application firewalls (not provided by the Verizon Application Security Program).