What is it?
Controls to ensure that software applications are developed and operated in accordance with an organization’s requirements and risk tolerance levels.
Why is it important?
Application risk governance provides a framework to ensure an appropriate balance between security and operations.
Why does a business professional need to know this?
Everywhere, disruptive technologies and applications are introducing risk to organizations both internally and on the web. Application risk governance provides a framework to identify and remove quality issues that pose an unacceptable level of risk at all stages of software delivery, from planning to production.
Successful governance can be achieved only if the entire process is efficiently mapped, measured, and monitored. Policies and procedures must be well-documented, and employees must have incentives to follow them.
The Open Web App Security Project (OWASP) identifies processes that result in improved governance. These processes include the following:
- Software security integration into the software development lifecycle
- Security requirements identification
- Design security review
- Architecture security review
- Security code review
- Security testing
- Deployment security review
- Release security review
These processes follow the premise that governance can be achieved more effectively by design than by re-examination.
The US Department of Homeland Security advocates best practice in software development and a “Build Security In” approach as part of a comprehensive software assurance professional competency model.
It is important to remember: not all quality issues are security issues, but all security issues are quality issues.