internal or external player, or some other form of attack that either exposes
the data held by the application, allows unauthorized individuals to use the
application, or crashes it.
As with the governing frameworks discussed above, companies need to
assess their unique risk and compliance needs when establishing a threat
model, but here are some general rules of the road as a starting point:
Understand the business objectives the application is used to support.
After all, spend management applications fulfill different roles from
customer relationship management.
Determine who uses the application and the roles those people are
performing.Know in a fairly precise sense the data used by the application and place
a value on that data. Is it a database with credit card numbers or is it
inventory control software?
Understand when the application is used. Does it manage vendor pay-
ments or keep track of the number of SKUs held in a warehouse?Precisely understand how the application works. What are its mechanics?
Use the above information to identify potential threats and vulnerabilities.Assess the likelihood of the identified threats and the potential impact
to the company (financial, brand, compliance).
Create procedures and policies around responses to potential threat
scenarios.Consider the words of Learned Hand and install or create appropriate
counter measures to protect the applications from the threats. (For
more on the aptly named jurist, see the “Learned Hand: One man’s con-
trol is another’s negligence” sidebar elsewhere in this chapter.)
As with every recipe in this book, stir in a rounded cup of regularly-
update-all-of-the-above.Consolidating security solutions......................................................
Obviously the level and number of possible threats and risks to your applica-
tions has grown over the years. First it was hackers, then along came
viruses, followed by spyware, and on and on. In addition, with each
iteration, your company wisely thought it prudent to integrate some form of
countermeasures — such as firewalls, anti-virus software, and so on — and
then policies to enhance the technical countermeasures — such as “Don’t
open e-mail attachments from unidentified or unknown sources.” In addition,
each of these was targeted toward a specific and/or emerging threat.