SAMMY UI is optimized for resolutions with a width 1024px and higher.
Maturity Level 1
Maturity Level 2
Maturity Level 3
Perform application risk assessments
D-TA-A-1: Do you classify applications according to business risk based on a simple and predefined set of questions?
  • An agreed-upon risk classification exists
  • The application team understands the risk classification
  • The risk classification covers critical aspects of business risks the organization is facing
  • The organization has an inventory for the applications in scope
Coverage
- None: There is no coverage for this activity or not all quality criteria have been fulfilled.
- Some: You perform this activity across some portion of your applications, to a certain extend, or review it on an ad-hoc basis, while making sure that all quality criteria are fulfilled.
- Half: You perform this activity across half of your applications, to a larger extent or review it at regular times (though not very often), while making sure that all quality criteria are fulfilled.
- Most/All: You perform this activity across most / all of your applications, to a full extent or review it at regular times at most once a year, while making sure that all quality criteria are fulfilled.
Description

Use a simple method to evaluate the application risk per application, estimating the potential business impact that it poses for the organization in case of an attack. To achieve this, evaluate the impact of a breach in the confidentiality, integrity and availability of the data or service. Consider using a set of 5-10 questions to understand important application characteristics, such as whether the application processes financial data, whether it is internet facing, or whether privacy-related data is involved. The application risk profile tells you whether these factors are applicable and if they could significantly impact the organization.

Next, use a scheme to classify applications according to this risk. A simple, qualitative scheme (e.g. high/medium/low) that translates these characteristics into a value is often effective. It is important to use these values to represent and compare the risk of different applications against each other. Mature highly risk-driven organizations might make use of more quantitative risk schemes. Don't invent a new risk scheme if your organization already has one that works well.

Recommended vendor for Application Risk Profile
Heeler logo

Heeler helps organizations achieve Maturity Level 3 in application risk management by automating and continuously updating application risk profiles. The platform delivers a unified, real-time view of application risk, empowering stakeholders to prioritize security activities and support training efforts. By automatically flagging material changes, Heeler prompts teams to reevaluate risk profiles as needed. This ensures accurate risk assessments, improved execution, and scalable software assurance.

Why we like Heeler: We love how Heeler focuses on technical vulnerabilities, bringing together insights from application security scanners into crystal-clear dashboards. It offers a detailed view of threats in this space, with real-time threat intelligence keeping everything up to date. As part of a broader risk assessment approach, Heeler shines in its role, making it an invaluable tool for mastering application security.

Discover more and schedule a demo today.

OWASP Team guidance

This is the official guidance provided by the OWASP SAMM Team.

Loading...
Loading, please wait.
Community guidance

This guidance is based on the approved community submissions.

Loading...
Loading, please wait.