• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

Risk-driven application security testing - four steps to securing business-critical applications

March 30, 2023

Did you know that 84% of cyber-attacks occur at the application layer.  The application layer is the easiest to attack and the hardest to defend as it is the most exposed and accessible.  Why? Because organisations do not practice basic “security by design” principles developing these applications.  Consequently, applications are the primary attack vectors for threat actors today.

But it doesn’t have to be this way.  There is a straightforward and pragmatic 4-step process for ensuring the security integrity of business-critical applications prior to launch.  This innovative approach is comprised of four simple steps:

Step 1: The process begins by conducting a detailed analysis of the design, development, testing, and hosting documentation associated with the application.  The purpose is to identify all of the access points, existing access controls and any inherent security design flaws.  The application's development and testing processes should also be examined for adherence to OWASP best practices.  Document the findings.

Step 2: The short design review is then followed by a threat assessment.  In this step, the information asset(s) processed, stored, or transmitted by the application and its (their) sensitivity classification level(s) are then identified and confirmed.  The assessment should be based upon the information obtained in the design review and the document these findings as well identifying potential vulnerabilities that may be exploited.

Step 3: The results of the threat assessment provide valuable data for the next step of defining and documenting the "attack surface" associated with the application given its design, development, and deployment flaws.  This step is critical and is done to identify the probable threat agents and their most likely attack vectors.  This modeling is essential for scoping effective security penetration testing for the application that actually simulates real-life attack scenarios. Upon completion, the model is used in the next and final step.  

Step 4: Finally, a security penetration test is conducted on the application.  The testing scope, approach, tools & methodology are determined by the actual attack surfaces associated with the application.  In this way, testing simulates real-world attack scenarios, from threat agents through existing attack vectors.  This pragmatic approach significantly increasing the value of testing and results in remedial recommendations that if implemented will actually reduce the threat to your application.

 

Richard Hollis is chief executive at Risk Crew.  To find out more about risk-driven security testing, join Risk Crew’s webinar, entitled “No DevSecOps? Plan B: Risk-Driven Application Testing”, on 4 April 2023

Tags: Richard Hollis
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson