11 Assessing risks
- An introduction to risk management
- Categorizing information into confidentiality, integrity, and availability requirements
- Threat modeling with the STRIDE and DREAD frameworks
- Using rapid risk assessment to integrate reviews in the DevOps process
- Recording and tracking risks in the organization
At the start of the book, you secured a single, small invoicer service hosted in a basic AWS environment. Yet, it took the better part of 10 chapters to cover all the controls necessary to properly secure that one service.
Organizations don’t stay small; they grow, and as they do, security teams must audit more deployment pipelines, implement more controls in more services, and perform more incident response. Inevitably, engineers become overwhelmed by the amount of security work required to keep the organization safe and the business operating securely. This is when risk management comes into play.
Everyone understands risk. It’s a concept we learn at a young age and one that people apply to everyday life without giving it much thought. If you’re headed to the bank with $5,000 in your pocket, walking through a bad part of town is a lot riskier than driving there. How much riskier, exactly? That’s hard to say, at least without a proper risk-assessment framework.