Dynamically determining application risk for greater risk reduction

Understanding your application portfolio and building a tailored plan to reduce risk with less effort

Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US

+1 571-228-8011

Shamik Shukla

Shamik Shukla

Director Advisory, Cyber Security Services, KPMG US

+1 908-227-2433

Understanding your application portfolio and building a tailored plan to reduce risk with less effort

Most large organizations today have a portfolio of custom software applications they use to help run the business but struggle to keep up with the volume of security work that is involved.

These organizations likely perform some regular assessments to identify the likelihood or impact of a risk caused by threat and vulnerability exposure across each application. Some applications should receive more scrutiny than others because they may carry higher levels of risk exposure relative to other applications within the business. For example, controls like the following might be created for custom software:

Example Security Assessment
Level of Effort for Security Team
Security Assessment Frequency
High Business Criticality Medium Business Criticality Low Business Criticality
Static Application Security Testing (SAST) Low to Medium Any changes in source code, dependent libraries, or underlying infrastructure Upon each major change or no more than 6 months after the last scan
Upon each major change or no more than 12 months after the last scan
Dynamic Application Security Testing (DAST) Low to Medium
Software Composition Analysis (SCA) Low to Medium
Credential Scanning Low to Medium
Threat Modeling Medium to High Upon each major change Upon each major change Upon each major change
Data Privacy Review Medium to High Annual Annual Annual

Features that determine the overall asset risk profile often include basic “application demographic details” or attributes like whether the application is public facing, its number of users, and whether it handles especially sensitive data like personally identifiable information (PII). These attributes also are key in scoping an organization’s asset inventory and determine which set of risks or controls should be inherited for a particular asset. Thereafter, the risk profile of the asset will drive how often the risks and controls associated to the asset should be assessed and monitored. For example, assets carrying higher risk would be monitored more frequently. Not getting this part right will result in assessing too many or too little risks/controls or executing assessments too often or not often enough for a particular asset and ultimately not provide an accurate view of an organization’s risk or compliance posture.

“Shifting security left” in DevSecOps enables developers in higher-performing teams to take on responsibility for some of these assessments by automating them in their software build pipelines. However, in most organizations, much of the burden for executing those example security assessments still falls upon a small, likely overburdened team in the CISO’s organization who does not have the time to perform enough of this important work as business leaders would like, leaving the business without the visibility it needs into its security risk and potentially exposed systems.

Leveraging data and ServiceNow to efficiently scope and drive risk and security processes

Determining whether an application is high, medium, or low business criticality is often a “set it and forget it” decision performed once, or perhaps every couple of years, which is unfortunate because the characteristics about the application that determine criticality can change. Enterprises should consider more frequent updates of the signals that make up an application’s criticality.

Even worse, most organizations do not take advantage of other nearby data to help inform an accurate business criticality rating. What if an application was found to consistently have fewer and less severe vulnerabilities during SAST, DAST, and SCA scanning than the rest of its peers? What if that application’s developers are always very quick to address the inevitable vulnerabilities that are found? Might that application deserve a lower business criticality rating, and possibly less frequent assessments?

By taking such “application security behavior” data points about the application into consideration across a portfolio, an organization might reduce unnecessary scrutiny on the developers, enabling them to focus on innovation and delighting customers. For their part, the CISO’s application security team would be able to better allocate their scarce resources to the applications that really need it.

Bringing the data suggested above into a single place can be tricky. There are platforms, ServiceNow in particular, that can connect such details into a single view. ServiceNow’s Configuration Management Database (CMDB), Application Portfolio Management (APM), Governance Risk and Compliance (GRC), and Vulnerability Response modules can collect the telemetry necessary to dynamically reallocate the security support to applications that really deserve it.

Value delivered through an integrated solution

Integrating ServiceNow’s CMDB, APM, GRC, and SecOps modules can provide the following benefits and set up your organization for long lasting value:

  1. Applications are managed through a central inventory with relevant attributes that are kept up to date. These attributes help build an accurate profile of an application
  2. Application risk assessments are initially performed to further refine the set of risks and controls that an application should inherit and ultimately be monitored against. The application’s profile and this assessment dictate downstream risk and compliance assessments and the amount of “work” that needs to be done.
  3. Applications are monitored and risk/compliance assessments are performed against a pre-defined schedule. Data coming out of controls, issues, policy exceptions, vulnerabilities, and security incidents against an application all contribute to the application’s residual risk. Integrating this data help build a more accurate reading of an application’s residual risk.
  4. Real time residual risk ratings are aggregated to the application where the overall profile or business criticality of the application can be adjusted. This real-time feedback loop can help shift resources to more critical applications that need more attention to reduce the organization’s overall risk exposure.

KPMG is a ServiceNow Global Elite Partner and can help you effectively manage risks, improve compliance posture, and enable faster response to vulnerabilities and incidents.