Software Risk Assessment
How to protect your business from a catastrophic IT failureWhat is Software Risk?
Risk is broadly defined as a situation involving exposure to danger. Danger in the business world comes in many forms and has a different importance depending on who you ask within an organization. In today’s world, software is at the operational and financial heart of every business. To put the issue into a palatable form, imagine how a business would be affected if, in an instant, every piece of software used simply stopped working all at the same time. The impact would be almost immeasurable.
To better frame the problem of software risk, consider the following. In a report on software failures, tricentis.com found that in 2017, software failures cost the economy US$1.7 trillion in financial losses. (Up from US$1.1 trillion in 2016.) In total, software failures at 314 companies affected 3.6 billion people and caused more than 268 years in downtime.1
What is a Software Risk Assessment (SRA)?
An SRA is a process in which a qualified software development architect is tasked with performing discovery, inventorying assets, identifying points of risk, and providing actionable recommendations to the leadership of the organization. These recommendations are delivered with estimated costs, timelines and service provider recommendations.
The recommended corrections can be performed by any qualified service provider that implements a persistent plan to ensure that measures put into practice are industry standard and maintainable.
What are the benefits of an SRA?
There are several high and low level benefits to having an SRA performed for your business. Software, as long it works properly in the eyes of the end user, tends to be treated as a ‘set it and forget it’ type of asset. Only when the software breaks and the required functionality is no longer available is leadership informed of the problem. This presents several risks to the operational, financial and compliance aspects of any business.
An SRA will effectively identify issues within the existing software infrastructure of a business before they have a negative impact. Leadership can then approach the issues in a proactive manner and make the required course corrections with minimum friction and cost.
How does an SRA work?
An SRA provider first begins by meeting with the key stakeholders of the organization to gain a summary understanding of the inherent risks and challenges being faced operationally. Once the provider has a solid understanding of these factors, they will proceed in gathering a detailed inventory of all software used in the business. Using this inventory as a guide, the provider then will perform a deeper discovery of each software asset, identifying its function, value and risk to the organization.
The SRA provider will then correlate the findings of the discovery process to a higher level organizational outlook to ensure that each software asset is providing a net positive gain in its role in the ecosystem.
What comes next?
Once the findings of the SRA have been compiled, the provider will present the stakeholders of the organization with actionable recommendations to address key risks present. These risks will be ranked using several key metrics in an order that allows leadership to make informed and fiscally responsible decisions to move forward.
Get ahead of the problem
Some companies were very proactive about identifying which machines in their networks were exposed to the risk and removing the software immediately. Others knew the software was installed but chose not to act. Even more either weren’t aware that the software was installed in their organization or did not know that the source code had been leaked.
This immense risk could have been effectively mitigated had these companies had an arrangement with a company to perform regular and ongoing Software Risk Assessments.
A Practical Example
Remote control software – applications that allow for remote users to securely connect to and control PCs and servers – have been around for decades and can be a very useful tool when used correctly. In 2012, the source code for the very popular remote control application, pcAnywhere, was leaked onto the internet by ill-intent hackers. The RISK in this happening was that if there were any vulnerabilities in the now exposed source code, other ill-intent hackers could use that weakness to potentially compromise any machine running the software. The version of pcAnywhere that correlated to the leaked source code was installed on millions of machines in industries ranging from healthcare to banking to election systems.
“The first apparent risk is that one can now detect flaws in the code itself for exploit. Symantec has presumably fixed any pending security flaws they were aware of by releasing a quick patch after the source code leaked out. The other risk is that one could potentially (though a monumental task) use the source to make a silently installed remote desktop app to gain control over a PC. This may be more tricky to do with modern day NAT routers in that UPnP was not part of pcAnywhere until 12.5.”2 – infosecinstitute.com
Get your FREE Software Risk Assessment Scheduled Today (a $5000 value)!
Please call us at 402-817-4313 or email support@agilx.com to get your SRA on the calendar. We will send a team of highly qualified software and digital security experts to your business at NO COST.