Security Innovation offers a range of services that help organizations resolve vulnerabilities and weaknesses in a portfolio of enterprise applications, a stand-alone application, an embedded software system, or within the software development process itself.
Your organization has dozens or even hundreds of deployed applications, but you likely have little insight into which are putting your most critical data and technology assets at risk. As a result, security decisions are made in an uninformed manner, leading to inefficient allocation of resources that will often miss the most critical risks.
Not all applications need a deep security assessment; in fact, many non-critical applications need nothing more than an automated scan to find common vulnerabilities or meet compliance requirements
Our Application Portfolio Assessment service ranks your risks and offers visibility into the state of application security across your organization. It offers the following benefits:
Step 1: Define Data Criticality (Sensitive, Compliance, Legal)
Data classification reflects the level of impact to your organization if any major area of security is compromised. Classification includes factors such as compliance mandates, federal laws and internal standards.. Once your data criticality factors are well understood we create an enterprise threat model and classify your applications based upon what level of data it processes, stores or transmits.
Step 2: Measure Application Attack Exposure
It's important to factor in the relative attack risk each application carries. Some applications have very little exposure, while others are exposed to large numbers of users over the Internet. Some are connected to other enterprise sstems, databases or web services, while others are more isolated and harder to access.
The combination of data criticality and attack exposure allows us to produce a risk-ranked grouping of your applications.
Step 3: Prioritize Your Resources
For each application, we consider the combination of criticality of data stored, transmitted or processed plus the attack exposure to risk-rank your portfolio. There is no standard formula for this, as risk tolerance and data mapping is contextual to each organization. For each application risk tier, we create a recommended testing frequency and depth chart (see below) so you can apply resources intelligently.
|We will provide a risk-ranking framework that allows security and risk analysts to quantitatively categorize application assets and help you plan additional assessment and mitigation activities based on your organization’s budget and time constraints|
|Threat Rating||Sensitive Data||Lifespan||Compliance Stringency||Customer Facing*|
|Tier 1 (Critical)||Restricted||Long||High||Yes|
|Tier 2 (High)||Private||Mid||Medium||Yes|
|Tier 3 (Low)||Public||Short||N/A||No|
* Customer-facing applications would include internet-facing applications as well as applications that reside on mobile or in-home devices
|Security Testing Depth and Frequency|
|Threat Rating||Static (Source Code) Analysis||Dynamic Analysis ^ (Web App Scanning)||Manual (Penetration) Testing||Threat Modeling|
|Tier 1 (Critical)||Required||Major code changes||Required||Major code changes||Required||Per-Milestone||Required||Per-Release|
|Tier 2 (High)||Suggested||Monthly||Required||Quarterly||Required||Per-Release||Suggested||Per-Release|
|Tier 3 (Low)||Optional||Quarterly||Required||Annually||Optional||As Needed||Optional||As Needed|
^ Dynamic testing only necessary for Web-based applications