Skip to main content
Risk assessments for application security
November 16, 2016

Risk Assessment – Starting the Conversation

The subject of Risk is an old topic in Program and Project Management circles, identifying risks and developing strategies is the vision of success or the apparition of failure.  There are thousands of floors of compliance personnel developing Risk Strategies around the world, multiples of those floors for single companies!

The benefits of developing a working Risk Strategy in Application Security is such a strategy can provide effective defense against a software breach, identify the costs to fix the breach by application, flaw or developer hour, or all three! In addition, a risk strategy using a survey or questionnaire can giveaway important application inventory data.

In working with several clients to build Risk Assessment and Governance Strategies in support of their Application Security programs, I’ve identified four key steps to properly develop a working strategy.

  • Scoping for Risk Assessment – Understanding the level of risk assessment and compliance that is needed for your organization. 
  • Calculating and Quantifying Risk – Using the scope defined, building a measurable assessment of Application Security Risk.
  • Setting up the Risk Assessment for Success – Explaining the Why, When, Who and What is occurring during the Risk Assessment for all parties, e.g. Developers, Development Leadership, Compliance managers, etc.
  • Managing Remediation using a Risk Assessment and Governance Process – A process to identify Risk has been developed, a system to calculate Risk has been created, the Risk strategy has been communicated, now it’s time to engage development teams and start enforcing the Risk strategy!

Using this blueprint the next four blog posts will give a deeper understanding of each and include additional detail to help start the conversation on Risk Assessments within your Application Security program.

Mitch Horton PMP,CSM is a Principal Security Program Manager at Veracode. He collaborates with Veracode’s largest customers to address Application Security in a full lifecycle approach from initiation of a program to optimization. Prior to joining Veracode Mitch worked for Microsoft managing programs for government and enterprise customers. When he is not working Mitch enjoys training for Ironman triathlons, creating new recipes in the kitchen and is a father of four.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.