# Application Management Application Management is an [[Foundational Capabilities|Information Technology]] capability and foundational dependency for [[Cybersecurity]]. Application Management is often provided through a commercial automated solution and sometimes includes both purchased and organization-developed applications depending on industry and org goals. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD subgraph two[Foundational] subgraph subPadding1[ ] direction LR F[Application Management] G[Asset Management] H[Backup and Recovery] I[Code Management] J[Data Management] K[Device Management] L[Domain Management] M[Email Management] N[Identity and Access Management] O[Log Management] P[Network Management] Q[Policy Automation] R[Stream Processing] S[Third Party Management] T[Training] F ~~~ G G ~~~ H H ~~~ I I ~~~ J K ~~~ L L ~~~ M M ~~~ N N ~~~ O P ~~~ Q Q ~~~ R R ~~~ S S ~~~ T end end %% Class Definitions %% ===================== class two subPadding; classDef subPadding fill:none,font-size:20px; class subPadding1,subPadding2 subgraph_padding; classDef subgraph_padding stroke:none,fill:none,margin:0; class F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:#333,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T cssClassL1; classDef cssClassL1 fill:gray,stroke:#333,stroke-width:0px,font-size:15px,font-color:white; class F cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition >[!cm-definition] Definition >**Application Management** is the capability of governing software applications throughout an end-to-end lifecycle, from installation, through improvements, and to end of life. ## Process This is a basic depiction of the high level application management process for the purpose of identifying its relationship to cybersecurity capabilities. ```mermaid flowchart LR A[1. Model Business <br /> Capabilities] B[2. Identify <br /> Needs and <br /> Requirements] C[3. Source <br /> Application] D[4. Install <br /> Application] E[5. Operate <br /> Application] F[6. Measure <br /> Application] G[7. Improve <br /> Application] H[8. Exit <br /> Application] A --> B --> C --> D --> E --> F --> G --> H --> A ``` ## Maturity Model The maturity of application management from a cybersecurity perspective is driven by its readiness in achieving the organization's adversary reduction goals. | | Stage 1 | Stage 2 | Stage 3 | Stage 4 | Stage 5 | | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------------------------ | | | ***Ability to Respond, Fix, and Restore*** | ***Ability to Plan, Protect, and Monitor*** | ***Ability to Build, Verify, and Defend*** | ***Ability to Strategize, Refine, and Triage*** | ***Ability to Predict, Optimize, and Improve*** | | <br><br><br><br><br><br>**Category** | Application Inventory<br><br>Defect Tracking<br><br>Internet-Exposed Application Inventory<br><br>Patch Management | Application Hardening<br><br>Application Lifecycle<br><br>Application Monitoring | Application Design & Architecture<br><br> | Dependency Tracking<br><br>Use Case Management<br><br>Version Tracking | Application Optimization<br><br>Application Risk Score | | <br><br><br><br>**Dependent Capability** | [[Asset Restoration]]<br><br>[[Incident Management]]<br><br>[[Remediation Management]] | [[Alert Correlation]]<br><br>[[Deny Listing]]<br><br> | [[Application Decoys]]<br><br>[[Case Management]]<br><br>[[Defense Modeling]]<br><br>[[Resilience Testing]] | [[Allow Listing]]<br><br>[[Attack Surface Enumeration]]<br><br>[[Exploit Management]] | [[Adversary Intelligence]] | ## Requirements This table contains the dependency requirements for Application Management to provide the foundational support for dependent Cybersecurity capabilities. | Category & Function | Guidance | Dependent Capability | Adversary Personas | | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Application Design & Architecture**<br><br>Identify project opportunities and build vs. buy decisions | + Capture business requirements for an application, including any goals related to abuse management.<br>+ Identify potential capability improvements to meet goals.<br>+ Document the application architecture for achieving business requirements and goals.<br>+ Ensure business requirements include abuse constraints.<br>+ Identify technical requirements for build vs. buy decisions.<br>+ Document the ideal state. | [[Persona Management]]<br><br>[[Defense Modeling]] | [[Cyber Researcher]]<br><br>[[Money Movers]]<br><br>[[Phishing]]<br><br>[[Weaponizer]] | | **Application Development** | + Implement security features to mitigate abuse.<br>+ Use only hardened application components. | | | | **Application Hardening** | + Ensure proper integration with other capabilities (IAM and Code Management, etc.).<br>+ Ensure all needed controls are implemented to reduce the potential for misuse and abuse of an application. | [[Resilience Testing]]<br> | [[Bug Bounty]]<br><br>[[Cyber Researcher]]<br><br>[[Insider Threat]]<br><br>[[Red Team]] | | **Application Integration** | | | [[Supply Chain]] | | **Application Inventory**<br><br>Govern applications to achieve efficiency and lower risk. | + Assign a unique identifier to each application.<br>+ Application Owners are clearly identified and continuously updated.<br>+ All changes and application work can be traced to the Application identifier.<br>+ The inventory can be queried through automated methods or published for subscription.<br>+ Identify any service level agreements and performance thresholds for the application.<br>+ Register and track whether an application is available to the public internet in a standard and continuously updated inventory.<br>+ Identify applications that support paid customers. | [[Allow Listing]]<br><br>[[Application Decoys]]<br><br>[[Attack Surface Enumeration]]<br><br>[[Deny Listing]]<br><br>[[Exploit Management]]<br><br>[[Incident Management]]<br><br>[[Resilience Testing]]<br> | [[Bug Bounty]]<br><br>[[Cyber Researcher]]<br><br>[[Insider Threat]]<br><br>[[Money Movers]]<br><br>[[Nation State]]<br><br>[[Script Kiddies]]<br><br>[[Weaponizer]] | | **Application Lifecycle** | + The maturity and disposition of an application is captured in the application inventory.<br>+ The expected life of an application is document in the application inventory.<br>+ Applications are reviewed and the lifecycle is updated at least once per year.<br>+ Applications that have reached their end of life are deprecated and the identifier marked as retired. | [[Incident Management]]<br><br>[[Resilience Testing]] | [[Script Kiddies]] | | **Application Monitoring** | + Applications are continuously monitored.<br>+ Behavioral baselines are established and provide the basis for service level thresholds. | [[Alert Correlation]]<br><br>[[Case Management]]<br><br>[[Resilience Testing]] | [[Bug Bounty]]<br><br>[[Cyber Researcher]]<br><br>[[Script Kiddies]] | | **Application Procurement** | + Identify needed features from outlined needs and requirements. | | [[Supply Chain]] | | **Application Risk Score** | + An Application Risk Score is documented and assigned to the application identifier which includes all attributable risks. | [[Adversary Intelligence]]<br><br>[[Allow Listing]]<br><br>[[Incident Management]]<br><br>[[Remediation Management]]<br><br>[[Resilience Testing]] | [[Cyber Researcher]] | | **Capability Map**<br><br>Track business capabilities to govern investments | + Map business capabilities.<br>+ Assign applications to a business capability. | [[Attack Surface Enumeration]] | All | | **Defect Tracking** | + Defects are assigned to an application and tracked until remediated.<br>+ Defects are included in the Application Risk Score.<br>+ Defects are tracked against a specified and documented hygiene budget. | [[Remediation Management]] | [[Bug Bounty]]<br><br>[[Cyber Researcher]]<br><br>[[Insider Threat]]<br><br>[[Script Kiddies]] | | **Dependency Tracking** | + Dependencies are assigned an identifier and included in the Application Inventory.<br>+ Dependency version is documented.<br>+ Dependencies are vetted and assigned a preference level. | [[Attack Surface Enumeration]]<br><br>[[Exploit Management]]<br><br>[[Incident Management]] | [[Bug Bounty]]<br><br>[[Cyber Researcher]]<br><br>[[Insider Threat]]<br><br>[[Supply Chain]] | | **EOL (End of Life) Management** | | | [[Bug Bounty]]<br><br>[[Cyber Researcher]] | | **Needs Assessment**<br><br>Assess what level of automation is needed | + Conduct user interviews to identify automation needs.<br>+ Assess existing process steps and tasks to identify opportunities to increase efficiency through automation.<br>+ Outline any new opportunities for automation. | [[Persona Management]] | [[Insider Threat]] | | **Patch Management** | + Routinely patch applications to achieve remediation targets. | [[Asset Restoration]] | [[Bug Bounty]]<br><br>[[Cyber Researcher]]<br><br>[[Script Kiddies]] | | **Use Case Management**<br><br> | + Track digitally assisted use cases.<br>+ Identify and document new use cases.<br>+ Use cases should be traced to a funded business capability goal. | [[Persona Management]]<br><br>[[Defense Modeling]] | [[Bug Bounty]]<br><br>[[Cyber Researcher]] | | **Version Tracking** | + Track all versions of software within the Application Inventory | [[Attack Surface Enumeration]]<br><br>[[Resilience Testing]] | [[Bug Bounty]]<br><br>[[Cyber Researcher]] | ## Metrics >[!cm-metric] Metric: [[% of Applications in Use]] >[!cm-metric] Metric: [[% of Expired Applications in Use]] > >[!cm-metric] Metric: [[% of Hygiene Budget used YoY]] ## Inspiration & Resources + [What is Application Management? | IBM](https://www.ibm.com/topics/application-management) + [Definition of Application Management - IT Glossary | Gartner](https://www.gartner.com/en/information-technology/glossary/application-management) + ## Release Notes + [[WIP - Q4 2024 Release#Develop Templates for sub-pages of Foundational Capabilities]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.