Skip to content

Term of the Week: Application Risk Governance

What is it?

Controls to ensure that software applications are developed and operated in accordance with an organization’s requirements and risk tolerance levels(NIST 2017).

Why is it important?

Application risk governance provides a framework to ensure an appropriate balance between security and operations.

Why does a business professional need to know this?

Everywhere, disruptive technologies and applications are introducing risk to organizations both internally and on the web. Application risk governance provides a framework to identify and remove quality issues that pose an unacceptable level of risk at all stages of software delivery, from planning to production.

Successful governance can be achieved only if the entire process is efficiently mapped, measured, and monitored. Policies and procedures must be well-documented, and employees must have incentives to follow them.

The Open Web App Security Project (OWASP) identifies processes that result in improved governance(OWASP 2014). These processes include the following:

  • Software security integration into the software development lifecycle
  • Security requirements identification
  • Design security review
  • Architecture security review
  • Security code review
  • Security testing
  • Deployment security review
  • Release security review

These processes follow the premise that governance can be achieved more effectively by design than by re-examination.

The US Department of Homeland Security advocates best practice in software development and a Build Security In approach as part of a comprehensive software assurance professional competency model(Jarzombek 2012).

It is important to remember: not all quality issues are security issues, but all security issues are quality issues.


  • (NIST 2017) Framework for Improving Critical Infrastructure Cybersecurity: NIST (2017). A set of voluntary industry standards and best practices designed to help organizations manage cybersecurity risks.
  • (NIST 800) NIST 800 Publications: National Institute of Standards and Technology (NIST), US Department of Commerce, Computer Security Resource Center. A catalog of publications from the Computer Security Division and the Applied Cybersecurity Division of NIST.
  • (OWASP 2014) OWASP - Open Web App Security Project: OWASP (2014). OWASP is an independent open-source body that promotes best practices in software assurance. It is dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
  • (CERT) United States Computer Emergency Response Team (US-CERT): Best practice articles, knowledge, and tools from the US Computer Emergency Readiness Team, US Department of Homeland Security. A repository of best practices, articles, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software during each phase of its development.
  • (ISACA 2015) DevOps Practitioner Considerations: ISACA (2015). PDF. Centralized source of information and guidance in the growing field of auditing controls for computer systems. Registration required.
  • (Jarzombek 2012) Software Assurance: Enabling Security and Resilience throughout the Software Lifecycle: Jarzombek, Joe (2012). PDF. Slide deck about software assurance and the need to build security in from the start.
  • (CIS) CIS Controls: Center for Internet Security.

About Graeme Fleck

Photo of Graeme Fleck

Graeme Fleck has been part of the Hewlett Packard Enterprise Software team for four years, working in focused roles across application development, IT security, and IT operations management. As part of the marketing and sales organization, he has worked closely with HPE Fortify, presenting and understanding the security challenges facing global businesses.

Term: Application Risk Governance


Twitter: @fleck_hp



Leave a Reply