Background

A risk assessment is a required step for any application developer, and ensure that the following are covered: 

  • Hidden exploits
  • Proactive approach to keep our application secure
  • Compliance with cybersecurity laws 
  • Avoiding devastating business consequences


The 4 Essential Elements of Our Risk Assessment Model

Identification, assessment, mitigation, and prevention are all integral parts of our application risk assessment.

  1. Identification of possible issues
  2. Assessment of any risks
  3. Mitigation of any risks identified 
  4. Prevention of any risks occurring in the future. 


Phases of the Risk Assessment

Gather Application Information

Applications are composed of underlying services, code, and data, and are built and deployed along a software supply chain containing systems, infrastructure, pipelines and processes.

We ensure we have a good understanding of all of this, along with key interactions between components, data, user roles and other application entry points.

Application security documentation is kept updated and can be used for any manual testing.


Ensure Proper System Configuration 

Misconfigurations of systems along the software supply chain, deployment environments, or the application itself can open up vulnerabilities that can lead to attacks. We therefore review system configurations and evaluate application security controls, code repositories, build servers, artifact registries, cloud environments, application admin interfaces, application account permissions, and application data access. 


Identity & Access Management Systems

We keep a constant check on our identity and access management implementation to ensure that we are supporting a least privilege model such that users and accounts access only what is needed to do their job, and nothing more.

Authentication methods are reviewed to ensure that weak passwords are not allowed, multi-factor authentication is enabled for privileged accounts, and secure identity standards are used wherever possible for authentication, single-sign on, and access management. 


Revisit Authentication Procedures

Testing and reevaluating authentication procedures is completed periodically. Strengthening password policies, revisiting password change requirements, optimizing password reset procedures, reassessing user session management, replacing knowledge-based authentication with multi-factor authentication, are also revisited periodically to ensure that the latest best practices are being implemented.


Secure the Software Supply Chain 

As all of the software we supply is developed in house, the supply chain is seen as less of an issue, however as a success attack could embed a vulnerability in an application that is passed along to end users, a constant and vigilant check is kept on any potential suppliers. 

Remove Sensitive Data Within Code

We regularly scan our application code for embedded secrets left by application developers, such as hardcoded usernames, passwords, access tokens – this is essential because should cybercriminal successfully access our code they won’t be able to use these secrets to move laterally and breach other systems in your organization.


Implement Encryption Protocols

Encryption of data and assets protects data in transit and at rest so that it cannot be read by unauthorized users. As the encryption methods develop at an exponential rate, we hold regular reviews on those in use. 


Business Logic Testing

Extensive business logic testing ensures that our application is behaving as it should and isn’t leaving room for unexpected behaviour that hackers could creatively leverage to stage a breach or attack.

We test to find and eliminate any weaknesses found in our application that can arise from feature misuse, non-repudiation, trust relationship, data integrity, and duty segregation. 


Front End Testing

The development team performs all types of application tests for quality assurance, including unit tests, functional tests, integration testing and performance testing.

However, it is essential that enough effort is also put into front end testing, or the user interface of the application, which is an obvious attack surface to be targeted early.


Review Error Handling

Improper error handling poses a threat as it can unintentionally expose extremely sensitive information that can be exploited by an attacker. This is why it’s critical to minimize the information disclosed unless people are authorized to see it.

It’s also critical to monitor behaviour around requests sent for files that don’t exist, and log activity for the application’s data entry points.  


Summary

Security is one of the most important aspects of any application. An application risk assessment is an essential tool for our security and development team to help us spot hidden vulnerabilities before they become a problem.