Enterprise security: Digital transformation and risk management with Anheuser-Busch Inbev and Manulife

As enterprises continue to undergo digital transformation, rapidly delivering secure software has become a necessity. Essential to this goal is the ability to measure and manage application risk across a large number of projects and development teams.

In this post, we’ll cover two insightful talks from SnykCon 2021 about risk management and measuring key risk indicators for enterprise applications.

Enterprise application risk profiling

The first presentation was from Alex Mor, Global Director of Application Security at AB Inbev, a multinational drink and brewing company. His talk covered digital transformation in the enterprise and how it impacts cloud native applications.

According to Mor, the challenge that today’s enterprises face is the increase in new technologies and applications as development teams adopt more agile practices. In turn, many enterprises need a more streamlined approach to assessing the risk profile for these growing technology stacks and software ecosystems.

Application risk profiling, or risk rating, is an OWASP software assurance maturity model (SAMM) activity for better understanding the potential business impact of a security incident and how exposed specific applications are to threats.

Mor went on to explain a three-level approach to application risk modeling:

1. Static: Categorizing application risk based on a set of predefined questions. These questions help determine if an application is public-facing, needs to adhere to certain compliance requirements, handles sensitive data, and more.

2. Dynamic: Quantifying the overall risk level of an application portfolio. Key areas to consider at this level are how active development is, how many users there are, where applications are hosted, and other characteristics that change and evolve.

3. Real-time: Assessing risk as applications change over time. This level goes even deeper by considering application architectures, documentation, and other risk areas that are constantly changing.

The enterprise threat landscape is dynamic by nature — especially when it comes to developing cloud native applications — so it’s crucial for security teams to have real-time visibility into application risk. That’s because risk areas can guide security teams as they build out AppSec programs and other security-related processes for mitigating risk.

As part of this risk profiling process, AB Inbev uses Snyk to understand the number of vulnerabilities its applications contain, and in turn, how these security issues impact the risk exposure of the organization. These real-time security insights, integrated directly into the development process, enable AB Inbev to more easily assess and mitigate enterprise application risks.

With risk profiling, we can prioritize our efforts by first protecting the high-risk applications. But we must also make sure we have visibility into the low-risk applications and do a pulse check on them every few months.

Watch Mor’s Enterprise Application Risk Profiling talk from SnykCon 2021.

Enterprise vulnerability management with KRIs

The next talk was presented by David Matousek, Director and Lead Technical Product Owner of Cybersecurity Engineering at Manulife, a leading financial services company. He discussed using key risk indicators (KRIs) to drive healthy vulnerability management.

Matousek spoke with Manulife’s development, security, and product teams to understand the question: Why is it so hard to protect applications from open source vulnerabilities? While each team had specific challenges, visibility into application security was a problem across the board.

KRIs that track application security metrics are a great way to bring clarity and visibility throughout the enterprise. For example, Manulife tracks the percentage of applications with open source code vulnerabilities that haven’t been remediated within a specific time frame based on the company’s governance policies.

According to Matousek, there are three tactics Manulife has used to drive down open source vulnerabilities:

• Governance: Manulife defines a clear timeline for remediating vulnerabilities based on severity and application environment.

• Monitoring:Manulife measures open source vulnerabilities using Snyk’s enterprise reporting capabilities and surfaces these as global KRIs.

• DevSecOps tools team: Manulife has created a global DevSecOps team that helps development teams learn to use Snyk as part of their secure development processes.

These strategies have created an effective code vulnerability monitoring system that provides developers, security, and product teams with greater visibility into application risks. In turn, this enables Manulife to efficiently detect and remediate open source vulnerabilities and improve the security posture of its applications.

We’re on a path to enhance our application security KRIs to track more than just open source code vulnerabilities. We plan to include static application code vulnerabilities, credentials and secrets in code, vulnerabilities in image artifacts, and more. This will enable us to more accurately measure the risk of each application.

Watch Matousek’s Driving Healthy Vulnerability Management Practices in the Enterprise Using KRIs talk from SnykCon 2021.

Improving enterprise security

Through risk profiling and tracking KRIs, enterprises can gain deeper visibility into the security posture of their applications. More specifically, Mor’s advice for assessing application risk and Matousek’s approach for vulnerability management can have an enormous positive impact on application security. Greater visibility into application risk enables security and development teams to better prioritize their efforts for rapidly delivering secure enterprise software.

Want to learn more about enterprise security? See our deep dive onenterprise security best practices for managing vulnerabilities at scale.