Toothbrushes or Diamonds - Simple Application Risk Assessment

In this issue, I’m going to show you how to automate your application assessments using the Rapid Risk Assessment (RRA) methodology. This simple technique will help your security and development teams prioritize their efforts where they matter most.

Focus on Risks

One of the biggest challenges security teams face is figuring out where to focus their limited time and resources.

Former US national security advisor McGeorge Bundy, once said, "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds."

Diamonds and Toothbrushes

In order to effectively use the limited resources available to security teams, you have to find a way to classify the applications you protect and determine where your diamonds are.

Unfortunately, most teams end up treating all their applications like high impact applications, because they don’t have the data to prove otherwise. Collecting that data can feel like a monumental task.

Enter Rapid Risk Assessments (RRA)

Assess Applications in Minutes

The Mozilla security team developed the RRA methodology to help teams quickly understand the impact of a service to the business. It’s not a full risk assessment or threat model—it’s a quick way to determine whether you need to dig deeper.

Here are three important reasons you should start assessing your applications today:

  1. Resource Prioritization: By identifying which applications could have the biggest negative impact on your organization, you can focus your limited resources where they’re needed most.

  2. Audit Enablement: Having RRAs in place gives you evidence for auditors that you understand the risk profile of your applications.

  3. Risk Calculation: Impact is a key factor in assessing risk. By understanding the impact, you can more quickly evaluate vulnerabilities or audit findings.

If you have a large application portfolio this may seem like a daunting task. But it doesn’t have to be. By decentralizing the process and automating it, you can drive immediate and sustained impact.

Here’s how, step by step:

Step 1: Document the Process

It’s tempting to dive in and start implementing this right away, but that would be a mistake. Before you begin, document the process. Mozilla’s original RRA methodology is a great starting point. You can review it here: Mozilla RRA Documentation.

Don’t copy and paste, though—customize it for your org. Mozilla’s needs are not exactly the same as yours, and you can likely simplify parts or add components that make sense for your team.

As you create your process, keep these principles from Mozilla’s RRA in mind:

  1. Quick: RRAs should take no more than 15-30 minutes to complete.

  2. High-Level: You can expand into a full threat model later if necessary.

  3. Concise: Keep it short and clear, with defined risk levels.

  4. Easy to Update: RRAs should be updated continuously throughout the project lifecycle.

  5. Actionable: The RRA should give people clear next steps based on its findings.

Don’t overthink this. The most important thing is to make the process simple and to tell people exactly what they need to do.

Step 2: Establish Baseline Questions

To make the RRA quick and effective, start with a simple questionnaire. Store it in the repository with the code it describes.

Here’s a basic template for inspiration. Here’s a template you can use for inspiration. It’s designed to help you identify applications that need further review, with any ‘yes’ answer acting as a flag for additional action.

# Rapid Risk Assessment (RRA)

Purpose: This RRA helps assess the security impact of an application or service.

Answer each question. Please contact <security team> if you have questions.

## Metadata

> Please update the service metadata

Service Name:

Service Owner:

Risk Impact Rating (if known):

## Threat Scenarios

### Confidentiality

> Please answer the following questions regarding confidentiality.

1. Would a breach of this service impact more than 10,000 users? (Yes/No)

### Integrity

> Please answer the following questions to evaluate potential risks to data and process integrity.

1. Would a breach or compromise of this service impact the integrity of critical business functions such as financial reporting, customer data management, or regulatory compliance? (Yes/No)

### Availability

> Please answer the following questions to determine the importance of continuous access to this service.

1. Would an outage or downtime of this service impact more than 10,000 users? (Yes/No)

You can find an expanded version of this template here: RRA Template

Step 3: Automate

The last step is to automate this process. You should aim to:

  1. Evaluate - Automatically flag applications that need a security review.

  2. Update - Ensure the RRAs are updated regularly by checking the last modified date.

GitHub Actions make this process easy. You can configure the actions to trigger whenever the RRA file is updated, on a schedule, or manually.

I created a simple GitHub Action that you can use to automate RRAs in your environment.

The workflow parses the rra.md file in the repository. It checks for any risks that trigger a deeper review and it checks to make sure it has been updated in the last 6 months. If a review or update is needed the workflow creates a GitHub issue and assigns it to the repository owner.

You can grab the file here: rra-check.yml

Finally

Rapid Risk Assessments are a powerful way to quickly assess and prioritize your application portfolio. With the steps outlined above, you can streamline your process and keep your security efforts focused on what matters most.

Subscribe to the Newsletter

Join other product security champions getting deep dives delivered to their inbox for free every Tuesday.

Follow us:

Quick Links

Supports Links

Quick Links

© 2025 Mission InfoSec. All Rights Reserved.