Improve the AppSec Risk Management Process

A structured risk management process is necessary to join up security activity across your organisation. Here are 4 ways to improve your organisation’s AppSec risk management process.

A structured risk management process is necessary to join up security activity across your organisation. A 2016 study by the Ponemon Institute revealed that a massive 28% of organisations have no process in place for managing application security risks, and a further 9% have only an ad hoc process in place.This means that more than a third of organisations have an ineffective risk management process in place for application security. So today we’re looking at 4 things you can do to improve the application security risk management process in your organisation.

1) Improve Application Visibility

69% of respondents to the Ponemon Institute study said their organisation doesn’t know all of the applications or databases that are currently active on their network. Shadow IT (the practice when employees source, install and use an unverified piece of software without informing the IT team) creates security blind spots which pose a huge risk to your organisation. Therefore, it’s vital that your security and IT teams have visibility into the whole of your organisation’s network and are aware of all applications that are being used.

2) Integrate Security into the Software Development Lifecycle

It’s not just the applications your organisation uses that pose a risk to security; the applications you develop are also a critical security concern. Therefore you need to make security an integral part of the software development lifecycle – from planning right through to maintenance after deployment. By improving the security of the applications you develop, you will be releasing applications with fewer vulnerabilities, meaning that your customers’ data is less at-risk, and your organisation is less at risk of having to deal with a serious data breach.

3) Establish a Vulnerability Response Process

Having a defined vulnerability response process in place will greatly improve your organisation’s risk management. At some point your organisation will suffer a data breach, or have to respond to a high-profile vulnerability that poses an immediate risk to your organisation’s data. When this occurs, having a vulnerability response process in place means that your team will know how to manage the remediation, who is responsible for the response effort, and what needs to be done to secure your applications in the aftermath of the breach.

4) Allocate Resources Appropriately

It’s important that your executive team have a realistic understanding of where your organisation is most vulnerable. A common misconception is that the network layer is the source of the majority of vulnerabilities, and so organisations invest time and effort securing the network layer. But in fact Gartner estimates that at least 70% of vulnerabilities exist in the application layer. So your organisation needs to allocate the majority of developer and security resources to securing the application layer, where the most harmful breaches are most likely to occur. Additionally, it’s important to assess which applications are business-critical, and which use or process personal information and high-value intellectual property. These should be top priority for your organisation to secure in the event of a data breach.

Get Switched on

Subscribe to our newsletter to keep ahead in the industry, and be the first to access new reports and white papers.