I gave a presentation to the Raleigh ISSA chapter this evening titled “Skeletons in the Closet: Securing Inherited Applications.”
The slide deck is online here:
The main points we covered were:
- You need to develop a listing of the applications in your portfolio. You can’t protect what you don’t know about.
- These applications need to be risk-ranked so that you can prioritize software assurance activities. If everything is equally important then nothing is actually important so you have to have a framework for making tradeoffs.
- Once you have these things you can start to have “grown up” conversations with executives about managing software risk.
This is very similar to a talk I gave at OWASP DC 2010 titled “Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers.” You can see video of that presentation online here.
Contact us for help dealing with your skeletons in the closet and email me if you would like a copy of the example Excel spreadsheet discussed during the presentation.
dan _at_ denimgroup.com