[AA1.4: 62] Use a risk questionnaire to rank applications.
To facilitate security feature and design review processes, the SSG uses a risk questionnaire or similar method—whether manual or automated—to collect information about each application in order to assign a risk classification and associated prioritization. Information needed for an assignment might include, “Which programming languages is the application written in?” or “Who uses the application?” or “Is the application deployed in a container?” Typically, a qualified member of the application team provides the information, where the process should be short enough to take only a few minutes. Some teams might use automation to gather the necessary data. The SSG can use the answers to categorize the application as high, medium, or low risk. Because a risk questionnaire can be easy to game, it’s important to put into place some spot-checking for validity and accuracy. An overreliance on self-reporting or automation can render this activity useless.