Application Portfolio Risk Ranking

Security Innovation offers a range of services that help organizations resolve vulnerabilities and weaknesses in a portfolio of enterprise applications, a stand-alone application, an embedded software system, or within the software development process itself.

Ensure the Level of Security Assessment is Commensurate with Application Risk

Your organization has dozens or even hundreds of deployed applications, but you likely have little insight into which are putting your most critical data and technology assets at risk. As a result, security decisions are made in an uninformed manner, leading to inefficient allocation of resources that will often miss the most critical risks.

Not all applications need a deep security assessment; in fact, many non-critical applications need nothing more than an automated scan to find common vulnerabilities or meet compliance requirements

Our Application Portfolio Assessment service ranks your risks and offers visibility into the state of application security across your organization. It offers the following benefits:

Our Approach

Step 1: Define Data Criticality (Sensitive, Compliance, Legal)
Data classification reflects the level of impact to your organization if any major area of security is compromised. Classification includes factors such as compliance mandates, federal laws and internal standards.. Once your data criticality factors are well understood we create an enterprise threat model and classify your applications based upon what level of data it processes, stores or transmits.

Step 2: Measure Application Attack Exposure
It's important to factor in the relative attack risk each application carries.  Some applications have very little exposure, while others are exposed to large numbers of users over the Internet.  Some are connected to other enterprise sstems, databases or web services, while others are more isolated and harder to access.

The combination of data criticality and attack exposure allows us to produce a risk-ranked grouping of your applications.

Step 3: Prioritize Your Resources
For each application, we consider the combination of criticality of data stored, transmitted or processed plus the attack exposure to risk-rank your portfolio. There is no standard formula for this, as risk tolerance and data mapping is contextual to each organization. For each application risk tier, we create a recommended testing frequency and depth chart (see below) so you can apply resources intelligently.

We will provide a risk-ranking framework that allows security and risk analysts to quantitatively categorize application assets and help you plan additional assessment and mitigation activities based on your organization’s budget and time constraints


Application Risk Rating

Sample Tier and Testing Frequency Table

Application Criteria
Threat Rating Sensitive Data Lifespan Compliance Stringency Customer Facing*
Tier 1 (Critical) Restricted Long High Yes
Tier 2 (High) Private Mid Medium Yes
Tier 3 (Low) Public Short N/A No

* Customer-facing applications would include internet-facing applications as well as applications that reside on mobile or in-home devices

Security Testing Depth and Frequency
Threat Rating Static (Source Code) Analysis Dynamic Analysis ^ (Web App Scanning) Manual (Penetration) Testing Threat Modeling
  Complete Frequency Complete Frequency Complete Frequency Complete Frequency
Tier 1 (Critical) Required Major code changes Required Major code changes Required Per-Milestone Required Per-Release
Tier 2 (High) Suggested Monthly Required Quarterly Required Per-Release Suggested Per-Release
Tier 3 (Low) Optional Quarterly Required Annually Optional As Needed Optional As Needed

^ Dynamic testing only necessary for Web-based applications