I came across an interesting blog about application risk assessment today, so I wanted to highlight some of the different approaches in response.
In the blog Chris’s approach seems somewhat like threat modeling, which is typically used for code reviews. In general he covers a large part of the important content but doesn’t address the real issues of risk – Cost vs Risk. Anyway I hope to address that here and explain the two major methods used extensively. These are threat modeling and the NIST/OCTAVE asset based approach.
Threat Modeling Approach
Threat Modeling is basically the ongoing risk assessment process which covers the entire Software Development Lifecycle.
From a managerial risk assessment approach I would take a different view using a strategic NIST/OCTAVE approach.
What are the assets? (i.e. information, applications, hardware, etc.)
What are the threats? (i.e. data contamination, malicious code, equipment failure, etc.)
What are the vulnerabilities (i.e. no security training for developers, lack of formal SDLC, no development standards, no security requirements, no security testing, etc.)
Within the vulnerabilities I would roll up any identified tactical findings into strategic issues. For example, software code with clear text passwords may result in a poor encryption policy, lack of standard, or a lack of proper classification policy and controls around passwords.
Overall using this strategic approach helps us to determine what assets in the entire application architecture/environment have the highest risk and we can mitigate accordingly. In the long run this approach should save cost. We really wouldn’t want to spend $40,000 dollars on a code review for each application when I know that none of the developers have security training nor do we have secure development standards. This money can be strategically better spent on training since we might have 30 applications across the enterprise. At that point we can then decide to perform a sample checkup and measure the progress to see how we perform both before and after the training. This will be the most cost effective approach and produce metrics that can be delivered to executive management.