Application Security Schema

In KScope's Application Security Posture Management (ASPM) model, asset modeling begins with a foundational structure that defines applications and evaluates their risk through business and technical dimensions. These Element Types are used to logically organize and track the components, deployments, and criticality assessments of software systems — helping security and risk teams gain full visibility into what’s running, where it runs, and how critical it is.

This model supports:

  • Modeling an application’s structure and its operational environments

  • Assessing risk based on business impact and CIA (Confidentiality, Integrity, Availability) posture

  • Defining software components and underlying infrastructure services

🧩 Element Types and Descriptions

Element Type

Description

Application Package (AppPackage)

The logical definition of an application. It may be a standalone app or composed of multiple subcomponents in a parent-child hierarchy. This is the core unit around which other elements are organized.

Application Deployment (AppDeploy)

Represents an installed instance of an AppPackage. Each deployment is tied to an environment (e.g., Dev, Test, Prod, DR) and includes a specific version of the application.

Application Component (AppComponent)

Defines a physical, modular unit within an application that provides specific functionality, such as APIs, middleware, services, or platform code. Each component is versioned and environment-specific.

Technical Service

A shared IT capability or infrastructure service required by applications. This can include runtimes, databases, message brokers, identity services, etc., typically maintained by infrastructure or platform teams.

CIA Rating

Evaluates an application's security posture across Confidentiality, Integrity, and Availability. Helps quantify and prioritize application risk based on how well it protects sensitive data and maintains reliability.

Business Impact

Assesses how an application’s failure or compromise would affect the organization across four domains: Legal & Regulatory, Public Reputation, Financial Reporting, and Cash Flow. Enables risk-aligned prioritization.

🔎 How These Element Types Work Together

These Element Types form a complete and connected application model:

  1. AppPackage is the top-level definition of the software.

  2. Each AppPackage has one or more AppDeployments representing runtime instances across environments.

  3. Each AppDeployment is composed of AppComponents (APIs, services, etc.).

  4. AppComponents and AppDeployments rely on Technical Services (e.g., databases, runtime environments).

  5. CIA Ratings and Business Impact assessments are applied at the AppPackage level to evaluate security posture and operational risk.

✅ Benefits of This Modeling Approach

  • Provides full traceability of software from design to deployment.

  • Enables risk-informed decision-making for remediation and security investments.

  • Supports environment-specific analysis (e.g., Prod vs. Dev risk posture).

  • Helps teams focus on business-critical apps and components first.

PreviousType UnitNextCIA Rating

Last updated

Was this helpful?