How to Mitigate the Security Risk of Orphaned Applications

By Ryan C. Barnett  |  Posted 2010-09-21

How to Mitigate the Security Risk of Orphaned Applications

As today's tumultuous economic climate forces organizations in both the private and public sectors to scale back or downsize, many programs, initiatives and even technologies have been abandoned. Similarly, the current economic environment has been rife with mergers and acquisition activity as companies and industries scramble to stay afloat. This has resulted in programs and projects that remain abandoned in their new homes.

In fact, a recent survey of 180 IT security professionals found that over 45 percent of respondents experienced a reduction in force that impacted their security organization's ability to adequately protect the enterprise.

While these effects are often chalked up to the pains of staying in business during challenging financial times, the problem of orphaned applications can mean far greater consequences for organizations if it remains unchecked. In this article, I will explain the challenges of orphaned applications and how organizations can protect them-and the sensitive information they can expose-against savvy Web hackers.

Orphaned application syndrome

Orphaned applications are those that have fallen through the cracks of asset management. In general, it means that the application is still on the network and externally accessible, but no one person or group has been tasked with its administration and management.

The problem with orphaned applications is that the systems are not properly assigned and managed, which means that no one is monitoring the application logging or updating the software with current security fixes and patches. As a result, the applications are left exposed and as ripe targets for attackers to use hacking methods such as SQL injections, cross-site scripting (XSS), and session hijacking and scraping to confiscate confidential information.

The cost of data leakage from abandoned applications could be steep. A recent study found that the financial impact of identity threat breaches is on the rise, with an average cost of $6.75 million per incident. Up to 80 percent of successful attacks against organizations occur due to exploitation of vulnerabilities in Web applications. MasterCard has identified SQL injection as the top reason for card data compromise.

Avoiding Orphaned Applications

Avoiding orphaned applications

Orphaned applications do not need to become security liabilities. Companies can take two proactive steps to identify and protect against applications that have fallen by the wayside to help ensure that hackers aren't given a backdoor entrance to sensitive data and customer information.

Step No. 1: Identify assets

The first step toward avoiding the risks associated with orphaned applications is to identify what applications are running on the network. This can be achieved by using a Web Application Firewall (WAF) that that can identify where Web applications are on the network and the types of data running on them.

Step No. 2: Manage assets

After all applications on the network have been identified, a sophisticated WAF can be configured to block attacks against the applications and to virtually patch identified vulnerabilities in Web applications.

Testing alone will not uncover all vulnerabilities; a real-time solution for identifying and fixing defective and vulnerable production applications is essential. Likewise, many network security solutions fail to identify the orphaned applications that exist in a corporate environment. By using a WAF, businesses can expedite the implementation of solutions for issues without only relying upon time-consuming and complex software updates and patches.

Customized Protection Against Orphaned Applications

Customized protection against orphaned applications

Unfortunately, orphaned applications are becoming an increasingly common problem for businesses. In order for companies to ensure they are protecting their sensitive and confidential data, a WAF must be implemented to first identify all applications on the network-known and unknown-and then block against attacks and other Web threats.

This approach can ensure customized protection for each Web application on a network and gives corporate security teams a detailed understanding of the applications they are protecting. In addition, an advantage of using a WAF is that it makes it easy for employees outside the operations or application teams to keep track of Web applications and provide security. Therefore, if there is turnover within the Web application staff, an external network infrastructure layer exists to monitor and protect the Web applications.

Deploying a Web application security solution can immediately protect orphaned applications against Web attacks. It can also provide invaluable information about application defects found while monitoring the application in the production environment. By continuously identifying and monitoring orphaned Web applications, defects and threats are discovered in real time. Assessing the Web applications in their actual environments allows the firewall to identify defects that might otherwise go unnoticed during a vulnerability scan or code review.

Ryan C. Barnett is a Senior Security Researcher on Trustwave's SpiderLabs Team. Ryan is a SANS Institute faculty member and the OWASP ModSecurity Core Rule Set (CRS) Project Leader. Ryan is also a member of the Web Application Security Consortium (WASC) where he leads the Distributed Open Proxy Honeypot Project. He can be reached at

Rocket Fuel