Risk Register #
This page lists the mapping of risks to controls in our software process
Application logging failures
Description:
Inadequate logging or monitoring of application activities, leading to missed detection of malicious actions or operational issues.
Mitigations:
- Implementing detailed logging of all critical application events and user activities.
- Regular review and analysis of logs to identify suspicious patterns or anomalies.
Code quality issues
Description:
Poorly written or unmaintainable code leading to security vulnerabilities, application errors, or system failures.
Mitigations:
- Thorough code review processes to ensure adherence to secure coding standards and best practices.
- Implementing automated quality checks and static analysis tools to enforce coding standards.
Compromised secrets management
Description:
Exposure of sensitive information, such as API keys, passwords, or cryptographic keys, due to poor secrets management.
Mitigations:
- Utilizing secure secrets management tools to store and access sensitive information.
- Limiting access to secrets based on the principle of least privilege and regularly rotating secrets.
Dependency vulnerabilities
Description:
Vulnerabilities or outdated components in third-party libraries or dependencies used in the software.
Mitigations:
- Regularly updating dependencies and using software composition analysis tools to identify and remediate vulnerabilities.
- Implementing semantic versioning to manage updates and reduce risks associated with incompatible changes.
Environment Breach
Description:
External attacker running workloads in our system
Mitigations:
Inadequate Risk Assessment
Description:
Failure to properly identify, assess, and mitigate risks throughout the SDLC.
Mitigations:
- Regular risk assessments aligned with the threat landscape and business objectives.
- Incorporating feedback from incidents and audits into the risk assessment process.
Insider Threat
Description:
Someone inside the company acts against the best intests
Mitigations:
Insufficient Change Management
Description:
Lack of control or oversight over changes to the system, potentially introducing vulnerabilities or breaking existing functionality.
Mitigations:
- Maintaining detailed records of all changes made to the system, including the rationale and potential impact.
- Implementing strict deployment controls and approval processes to ensure all changes are reviewed.
Insufficient Security Controls
Description:
Weak or missing security controls that fail to protect against known threats and vulnerabilities.
Mitigations:
- Enforcing secure coding practices and guidelines to prevent common vulnerabilities.
- Conducting regular security audits and penetration tests to identify and remediate gaps.
Lack of Service Ownership
Description:
Ambiguity in responsibility for services or components, leading to delayed response to incidents or unresolved issues.