The Importance of a Risk Based Approach in Security Assessments

Suppose you run a security scan on your application, and it produces a report with a list of one hundred security issues.  

Where would you start? What issue(s) would you tackle first?  

You need a way to prioritize the list and to know which issues are high risk, which are low risk, and which ones can be ignored. Without a way to triage the list, you’ll spend a lot of time and effort trying to fix all 100 issues. 

To properly triage the issues, you need to take into account the business impact. In other words, given what we know about the business, if the issue is left unchecked, what is the likelihood the threat will be realized and how will it impact the business? The more likely it is and the more impact it has, the higher the risk. The less likely and the less powerful, the lower the risk. 

Most pentesters do not do business impact assessments. Instead, they do a pentest and provide a list of results. Some offer severity ratings with each issue, but where do those severity ratings come from?  

They come from their tool. They use an automated security scanner tool, which finds a list of issues and gives them each a generic severity rating. But the tool doesn’t know anything about the business, so it can’t accurately set priorities on which issues to address. 

Generally, in the industry, there’s a consensus that certain issues such as SQL injection or cross-site scripting is high severity, but what about the business context?  

SQL injection means that it’s possible for a bad actor to inject some malicious code to access a SQL database. But what if the business doesn’t have any data in that database? With the business context in mind (i.e. there’s no data in the database), the SQL injection is low impact and low severity. 

What Makes Forward Security Different?

At Forward Security, our comprehensive, 4-stage Application Security Risk Assessment includes a Security Design Review and Code Security and Vulnerable Dependency Analysis, as well as a business impact assessment. Through this, we can understand the context of your business and provide more accurate triage and remediation recommendations. This allows you to focus your effort where it matters. 

In addition to our Risk Assessment, we use our Eureka DevSecOps Platform, which automatically aggregates and correlates issues. For example, cross-site scripting on its own may be low risk, but combined with two other low-risk issues, it could be used to realize a particular attack. In this case, we would chain all three issues together, which reduces the number of issues, and create one threat scenarios. We then assign a risk to it, making it easier to fix. Thus, we give you less issues to deal with and more valuable issues so you can focus your effort to get better results. 

Since many pentesters don’t follow a risk-based approach, it can be incredibly time consuming since you don’t know where to focus your effort where it matters, and you become bogged down by a long list of useless issues that have generic severity associated to them without business context. 

Running a security scan on your application can produce a long list of security issues, but it’s important to prioritize and triage the list in order to effectively address the most pressing issues.

To do this, it’s necessary to take into account the business impact of each issue, as the likelihood and potential impact on the business will determine the risk level.

Many pentesters simply provide a list of results with generic severity ratings, but these ratings don’t take into account the specific context of the business.

Forward Security differentiates itself by considering the business context when assessing the severity of security issues and setting priorities. This allows them to provide a more accurate and effective assessment of the risks facing a business.

How Mature is Your DevSecOps?

Our comprehensive DevSecOps Maturity Assessment covers 8 key phases of DevSecOps practices, 29 questions in total.

By evaluating your team on each capability, you can determine if your DevSecOps maturity level is early, intermediate, or advanced. Your assessment includes a custom report that provides your overall maturity as well as detailed recommendations you can take to enhance your security posture.