Introduction to risk assessment
As Dr Gary Wills says in his welcome video, before we can secure our app, we first need to perform a risk assessment. We need to know what the threats are, and how much we care about defending against them.
The starting point is to identify the assets controlled by the mobile application. These are the things an attacker may be interested in, and therefore the things we need to protect.
From this understanding of the assets, we’re able to take a risk assessment (how are these assets threatened). And once we’ve undertaken the risk assessment, identifying both the threats and the vulnerabilities that these information assets are exposed to, we’re able then to decide what the controls are that we need to put in place in order to protect these assets.
How do we do a mobile app risk assessment?
In the case of a mobile app risk assessment, we need to:
identify the details of the different mobile app usage scenarios, and what the scope of the assessment should be
undertake threat modelling, this will help us to understand the source, target, and the actors involved in the threat
find the vulnerabilities that may be exploited by the threat, and analyse their impact on the target assets (Confidentiality, Integrity, and Availability)
evaluate the impact and likelihood of each risk in order to prioritise them
find the most appropriate control to mitigate or reduce the likelihood of each risk
Whilst this sounds like a lot to do, once you grasp the concepts and start practicing them, gradually they will become habit-forming as you build them into your coding.
This course gives you the fundamental concepts and tools to speed up your learning.
© University of Southampton 2017