SI Secure
SI Secure
IndustriesServicesProductsCompanyLibrary
Services | Risk Mitigation


Software Security Total Risk Management

Mitigating the business risk of insecure software
Security Innovation’s Software Security Total Risk Management methodology represents a new, state-of-the art approach that enables enterprises to more accurately assess software security vulnerabilities, prioritize them correctly, and develop a customized vulnerability remediation roadmap that will help manage business risk.

Conventional approaches to software security are not risk-based, typically encompassing no more than penetration testing of application functionality for some pre-determined set of common vulnerabilities. This approach frequently fails to address each application’s unique code-, system- and workflow-level vulnerabilities. More importantly, it provides little practical guidance on prioritizing application defect remediation or creating a roadmap to guide enterprise software security posture improvements.

Our Total Risk Management approach begins with a unified view of application security threats and risks at both business workflow and technical systems levels, to ensure that the business risk implications of application security vulnerabilities are correctly assessed. Different modeling techniques to address each threat and risk type are combined to augment the more conventional application penetration testing approach, as illustrated below.

risks and threats></p> <p>Threat modeling of the application workflow, coupled with attack modeling and design/code review of the application implementation, traces all the ways in which application end-users and administrators might accidentally or intentionally exploit faulty application control logic or coding errors.<br> <br> Risk modeling, incorporating Secure Software Development Life Cycle (SSDLC) and other best practices drawn from such internationally-accepted standards as the ISO 2700x series and the Information Technology Infrastructure Library (ITIL), helps ensure that application vulnerabilities are viewed in the broader risk context of business asset valuation, regulatory compliance and operational efficiency.<br> <br> <br> <p class=Software Security Total Risk Management Methodology

The second part of our Software Security Total Risk Management approach applies the augmented risk measurement matrix within a best practices risk management process methodology incorporating four basic steps of effective IT risk management: Discovery, Assessment, Strategy, and Execution, as illustrated below.

risk modeling

Risk Discovery entails the review of software (application or systems-level technical specifications) in order to understand exactly how the technical system in question has been designed and deployed. In keeping with the risk measurement matrix requirements noted earlier, Discovery also includes the inventorying of application workflow requirements. Finally, stakeholder participation is carefully designed into the risk management process framework from the beginning in order to ensure that all intermediate steps in the process are validated before moving forward.

Risk Assessment marks the phase of our Total Risk Management approach which distinguishes us from the competition. While most application or software security vendors do little more than conduct “black box” penetration tests against applications, Security Innovation applies its proprietary threat methodology to identify high-priority software vulnerabilities that penetration testing alone may not find. Our risk modeling takes the next step in quantifying software vulnerabilities in terms of business risk resulting from data breaches, loss of business IP, or operational inefficiencies.

Risk Strategy comprises the prioritization of business risk due to software vulnerabilities, and then working with customers to choose among the set of risk management responses, including risk avoidance, transfer, remediation or acceptance. For those vulnerabilities requiring immediate remediation, Security Innovation works with customer stakeholders to develop – in concert with stakeholders – a remediation “roadmap” consistent with the enterprise goals of an enhanced software security posture.

Execution encompasses performing the set of software security remediation activities that emerge from the strategy – from tactical software “patches” that fix high-priority vulnerabilities, to more strategic programs such as our Secure Software Development Life Cycle Best Practices.

 

back to the top of the page