Posted by Sammy Migues on June 18, 2015
You likely have a diverse mix of applications within your organization.
You have everything from apps powering web and mobile tools that just launched to internal functionality you’ve not updated in years. You created some applications in-house, external partners supplied some, and some are critically dependent on open source code built by developers with which you have no business relationship.
If you are like many organizations, you may not even know how many applications you have in your portfolio or their current security posture!
Any one of those applications could provide an opportunity for a hacker to gain unauthorized access and exploit your business systems. The only way to know is to test, right?
Back to reality: You have a limited budget and need to prioritize.
Risk ranking is a structured methodology that assesses the risk associated with any application and then assigns a criticality rating that immediately helps prioritize testing and remediation efforts.
Some elements used in risk ranking are pretty straightforward. For example, if you have an application that is under scrutiny from regulators or is responsible for 90% of your revenue, clearly that one goes to the front of the line. In contrast, an internal-only photo-sharing tool may not rank as high.
Application security testing can range from automated testing to in-depth manual testing. Your risk ranking methodology will help you determine the right frequency and depth of testing required to mitigate risk in your application portfolio appropriately.
You can then make informed decisions about how much to invest in your testing strategy and whether you need to bring in external support to supplement your own testing resources.
Having a repeatable approach for classifying your applications will also help you measure your progress in reducing risk. For example, if your security strategy calls for a reduction in the number of bugs and flaws that make it to production for all critical applications, you need to define what “critical” means for everyone.
Risk ranking is an essential part of an overall security strategy. It gives you the information you need to communicate your testing goals both across your organization and to external groups, and make decisions with speed and confidence.