The subject of Risk is an old topic in Program and Project Management circles, identifying risks and developing strategies is the vision of success or the apparition of failure. There are thousands of floors of compliance personnel developing Risk Strategies around the world, multiples of those floors for single companies!
The benefits of developing a working Risk Strategy in Application Security is such a strategy can provide effective defense against a software breach, identify the costs to fix the breach by application, flaw or developer hour, or all three! In addition, a risk strategy using a survey or questionnaire can giveaway important application inventory data.
In working with several clients to build Risk Assessment and Governance Strategies in support of their Application Security programs, I’ve identified four key steps to properly develop a working strategy.
- Scoping for Risk Assessment – Understanding the level of risk assessment and compliance that is needed for your organization.
- Calculating and Quantifying Risk – Using the scope defined, building a measurable assessment of Application Security Risk.
- Setting up the Risk Assessment for Success – Explaining the Why, When, Who and What is occurring during the Risk Assessment for all parties, e.g. Developers, Development Leadership, Compliance managers, etc.
- Managing Remediation using a Risk Assessment and Governance Process – A process to identify Risk has been developed, a system to calculate Risk has been created, the Risk strategy has been communicated, now it’s time to engage development teams and start enforcing the Risk strategy!
Using this blueprint the next four blog posts will give a deeper understanding of each and include additional detail to help start the conversation on Risk Assessments within your Application Security program.