We have a collective prioritization problem. While this is true when analyzing individual applications, it is also true across applications. Organizations aren’t good at nuance. They tend to “think” in terms of rigid processes and ignore risk and potential business impact. Unfortunately, this approach has a real-world impact on application risk.
Consider a list of internally developed applications at your organization. It could include everything from a customer mobile application to a partner portal, internal trading algorithms, a Human Resources website, an app for facilities requests, and more.
Now think about how your Application Security program handles these applications. How much of the required processes and procedures are the same for all of those apps? If you want to add or change an existing feature, you likely have to fill out a risk questionnaire, but is the number of questions you need to answer different depending on the business impact of the application? If you perform SAST scans, do you have different remediation requirements, depending on the business impact of the application? The answer is no! Did you ever ask yourself why?
To some extent, this is understandable because quantifying the business impact of an application isn’t trivial and is mostly based on human input. In many cases, your natural instinct to classify applications can be incorrect, so you need to look at the code!
Here are a few examples of things you may find in your code and configurations that is critical to understanding the business impact of an application:
If you adapt your processes to be risk-based and business-impact aware, your AppSec engineers, security architects and developers will be much more efficient, spend less time on your least important applications and more time on the important ones, which will eventually help release more secure applications faster.
Whenever you perform a security task, ask yourself if you’re doing it to comply with a required process or to actually reduce the risk to your organization. If you ever find yourself doing the former, realize that it doesn’t have to be this way and speak up!
Apiiro is changing the industry from focusing on Application Security to Application Risk. Join us for the revolution!