11 Assessing risks

 

This chapter covers

  • An introduction to risk management
  • Categorizing information into confidentiality, integrity, and availability requirements
  • Threat modeling with the STRIDE and DREAD frameworks
  • Using rapid risk assessment to integrate reviews in the DevOps process
  • Recording and tracking risks in the organization

At the start of the book, you secured a single, small invoicer service hosted in a basic AWS environment. Yet, it took the better part of 10 chapters to cover all the controls necessary to properly secure that one service.

Organizations don’t stay small; they grow, and as they do, security teams must audit more deployment pipelines, implement more controls in more services, and perform more incident response. Inevitably, engineers become overwhelmed by the amount of security work required to keep the organization safe and the business operating securely. This is when risk management comes into play.

Everyone understands risk. It’s a concept we learn at a young age and one that people apply to everyday life without giving it much thought. If you’re headed to the bank with $5,000 in your pocket, walking through a bad part of town is a lot riskier than driving there. How much riskier, exactly? That’s hard to say, at least without a proper risk-assessment framework.

11.1 What is risk management?

11.2 The CIA triad

11.2.1 Confidentiality

11.2.2 Integrity

11.2.3 Availability

11.3 Establishing the top threats to an organization

11.4 Quantifying the impact of risks

11.4.1 Finances

11.4.2 Reputation

11.4.3 Productivity

11.5 Identifying threats and measuring vulnerability

11.5.1 The STRIDE threat-modeling framework

11.5.2 The DREAD threat-modeling framework

11.6 Rapid risk assessment

11.6.1 Gathering information

11.6.2 Establishing a data dictionary

11.6.3 Identifying and measuring risks

11.6.4 Making recommendations

11.7 Recording and tracking risks

11.7.1 Accepting, rejecting, and delegating risks