Classifying applications

A good first step towards the implementation of a secure SDLC is to take stock of your existing applications. All applications within your organization carry with them a certain level of risk. This risk needs to be quantified in order to guide you towards making effective decisions about security tradeoffs.

Classifying your applications from a security perspective helps provide input into your asset management process. Below are some items to consider, in multiple choice format. Answers to the questions below can be assigned a specific weight. The options are listen in order of increasing weight:

  1. What is the scope of the application’s use?
  2. Internal, within a department?
  3. Internal, across multiple departments?
  4. External (customer, business partner, vendor, supplier)?
  5. What kind of information does this application store, process, or transmit?
  6. Public information?
  7. Internal?
  8. Customer confidential?
  9. What is the approximate size of the end-user base?
  10. Less than 50?
  11. Between 50 and 100?
  12. Between 100 and 250?
  13. Between 250 and 500?
  14. Greater than 500?
  15. What is the approximate budget allotted to this application?
  16. Less than $50,000?
  17. Between $50,000 and $100,000?
  18. Between $100,000 and $500,000?
  19. Between $500,000 and $1M?
  20. Between $1M and $5M?
  21. Greater than $5M?
  22. What kind of financial transactions are executed by this application?
  23. No transactions
  24. B2B
  25. B2C

In a future post, I’ll move into CIA considerations for assessing your application’s risk.

Previous Article
The Operational Reality of Opt-In Security Controls
The Operational Reality of Opt-In Security Controls

TL;DR: We thought we found arbitrary command execution due to an absence of class-whitelisting. We actually...

Next Article
Embrace new technologies, only if …
Embrace new technologies, only if …

In today’s software development world, new technologies are always around the corner. Application developme...