Risk ranking your applications: A method to the madness

You likely have a diverse mix of applications within your organization.

You have everything from apps powering web and mobile tools that just launched to internal functionality you’ve not updated in years. You created some applications in-house, external partners supplied some, and some are critically dependent on open source code built by developers with which you have no business relationship.

If you are like many organizations, you may not even know how many applications you have in your portfolio or their current security posture!

Any one of those applications could provide an opportunity for a hacker to gain unauthorized access and exploit your business systems. The only way to know is to test, right?

Back to reality: You have a limited budget and need to prioritize.

How do you know which applications contribute the most risk?

Risk ranking is a structured methodology that assesses the risk associated with any application and then assigns a criticality rating that immediately helps prioritize testing and remediation efforts.

Some elements used in risk ranking are pretty straightforward. For example, if you have an application that is under scrutiny from regulators or is responsible for 90% of your revenue, clearly that one goes to the front of the line. In contrast, an internal-only photo-sharing tool may not rank as high.

Synopsys looks at many factors when risk ranking, including:

  • Relationship to revenue
  • Impact on business continuity
  • Compliance or regulatory requirements
  • The audience it serves
  • How much sensitive data it stores or accesses
  • Methods of access
  • Connection/integration with other systems
  • Human safety

How can risk ranking save you time and money?

Application security testing can range from automated testing to in-depth manual testing. Your risk ranking methodology will help you determine the right frequency and depth of testing required to mitigate risk in your application portfolio appropriately.

You can then make informed decisions about how much to invest in your testing strategy and whether you need to bring in external support to supplement your own testing resources.

Having a repeatable approach for classifying your applications will also help you measure your progress in reducing risk. For example, if your security strategy calls for a reduction in the number of bugs and flaws that make it to production for all critical applications, you need to define what “critical” means for everyone.

Risk ranking is an essential part of an overall security strategy. It gives you the information you need to communicate your testing goals both across your organization and to external groups, and make decisions with speed and confidence.

Easy and smart solutions to test your web applications at every depth.

get started

 
Sammy Migues

Posted by

Sammy Migues

Sammy Migues

Sammy Migues is principal scientist within the Synopsys Software Integrity Group where he studies evolving application security market needs, creates solutions for the hard problems, and leads organizations through transformational improvements. Over the past 15 years, Sammy focused on computer-based and instructor-led training, smart grid, supply chain security, metrics, software security initiative maturity, and management consulting. Sammy is a co-creator and the maintainer of the Building Security In Maturity Model (BSIMM), the only study of its kind to capture the actual software security practices in over 200 firms around the globe. Sammy also co-authored the Synopsys CISO Report, a review of approaches to the CISO role, and the BSIMMsc, an application of the BSIMM for supply chain security. His thought leadership and expertise has appeared in Dark Reading, Infosecurity Magazine, Forbes, Supply Chain Digital, and The Daily Swig, among many media publications. He has spoken at public conferences including Gartner, FS-ISAC, and RSA. Sammy is also a frequent speaker at private conferences, such as the members-only BSIMM conference, and internal security conferences.


More from Managing security risks