A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities.
Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective. It supports managers in making informed resource allocation, tooling, and security control implementation decisions. Thus, conducting an assessment is an integral part of an organization’s risk management process.
Security risk assessments contain:
- High-level risk analysis, a risk ranking that details the highest risks, and the prioritization of risks and required security controls,
- High-level risk analysis, a risk ranking that details the highest risks, and the prioritization of risks and required security controls, Validated security testing artifacts,
- Validated security testing artifacts, A risk management plan that identifies: Which applications need to be assessed? What are the key principles that should be followed? How will the risk management plan be implemented?
A security risk assessment is a process
The assessment process should be part of an organization’s software development life cycle and follow the principles of the approach to software security. The risk assessment process should include, identify, and prioritize requirements that are critical to the success of the project. The process must provide a high degree of assurance that software will conform to the requirements and correct any security issues that might be present. It provides a mechanism to detect security weaknesses early enough to take corrective action to eliminate or mitigate them.
The requirements the organization develops should include a set of security requirements to ensure that software will be secure. The requirements also serve as the basis of the initial list of control requirements. The organization must develop a strategy to understand the existing security controls that are in place. The assessment process might also have to consider the system’s mission, the target audience, operational requirements, and the organization’s security policy. This will help ensure the right controls are in place to protect against risk.
Organizations also must consider their risk management process to prioritize, identify, and assess the risks associated with the application. Some organizations choose to conduct risk assessments periodically to ensure that applications remain secure over time. An organization should tailor its risk assessment process to its needs.
Risk assessment questionnaires
Organizations can use questionnaires, surveys, and other various tools to assess risk and identify the risk profile. Questionnaires consist of a set of questions per risk. Each question should evaluate a particular threat or vulnerability in the specific context of the application. For example, one question might assess whether an application allows SQL injection attacks, such as “How is data validated?” Another question might address the threat of Cross Site Scripting attacks, such as “What type of input validation is performed on the data entered on the web site?”
Questionnaires enable an organization to prove some level of understanding regarding the application and its position in the organization’s risk management strategy. Questionnaires can also be used to evaluate risk responses. Questionnaires also serve as an audit Trail for organizations that may want to verify that a questionnaire was completed and that the responses were adequate. Instead of simply submitting a questionnaire, the organization may request that a questionnaire be completed and returned at development meetings.
Any organization can develop a questionnaire too assess risk. Questionnaires can be short and simple or elaborate and extensive. However, a more extensive questionnaire may be more of a hindrance. If a questionnaire is too extensive, the incomplete responses may provide no information at all. The questions in any questionnaire should be able to be answered without extensive interaction with other documentation. A point system can be used to weight responses. One point could be given for an answer of “no,” and point deduction could be given for an answer of “yes.”
Questionnaires consist of a set of questions that an organization can use repeatedly to evaluate the security risk of an application. The questions allow the organization to quickly gauge the risk of the application and to identify security issues that might be present. Questionnaires are not intended to be a comprehensive security risk analysis. Questionnaires can contain questions with multiple answers that cover issues that would be addressed by multiple security controls. Three or four answers are typical. It is important to note that questionnaires can be effective if they are used where appropriate.
Organizations can customize a questionnaire for their specific needs by adding or revising questions. A questionnaire should become more robust as an organization learns more about the risks associated with its applications. Questionnaires can help organizations involve the development team and the QA team in the risk assessment. It can also help the organization identify the areas of greatest risk. Organizations can develop a questionnaire with the help of a member of the development and QA teams who is well versed in the applications. This is particularly true if the organization wants to focus the assessment on existing applications. Organizations can also work with individuals who have responsibility for the organization’s security policy and who are familiar with the applications as well.
Questionnaires should focus on whether an application contains the relevant controls and whether the relevant parts of the application perform correctly. The questions can then be grouped by common mitigations, risk, and the criticality of the issue or risk to the application. This helps an organization focus the assessment