We work with companies building security programs a lot. Across all aspects of the program, the word inventory is a term that seems to have a surprisingly high level of general awareness but a surprisingly low level of common definition.
in·ven·to·ry ˈinvənˌtôrē/noun 1. a complete list of items such as property, goods in stock, or the contents of a building. (Google: https://www.google.com/search?q=define+inventory)
synonyms: list, listing, catalog, record, register, checklist, log, archive;
In particular, it is always interesting to ask if:
- All apps from all business units represented?
- The inventory is updated automatically?
Unless the answer to 2. is “Yes” then the answer to 1. is almost always “No”. If the answer to “Are all apps from all business unites represented?” is no, then how can the inventory be serving as the cornerstone of your security program? I’m curious what else you might be using as a cornerstone instead…
Let’s step back – what’s the point of the inventory? The most important reason to have an inventory might be to make sure that we know what we need to do and what we’ve done. If you have a list of all of your applications that is updated (ideally automatically) and tracks security activities against those, that is a great starting point.
Many people track this in Excel or some form of spreadsheet. That isn’t inherently bad unless that is spread throughout various teams in different states. Most security vendors want you to use their tool for your inventory. The reason is that if they own the main place you go for your TODO list, that suggests you’ll be coming back to them a lot. In what I’ve seen, all those inventories and dashboards leave a lot to be desired. You might actually be better off in Excel where you can keep your vendor blinders off.
Let’s focus a bit on getting an inventory. We’ve done it by hand, by automatically pulling it from GitHub, a service meta tier, or an artifact store and in other ways. In larger companies, it is often a combination of the above. We would generally advise that the inventory be seen as a living dataset that can be a reference throughout purchasing decisions.
In future posts we’ll talk about the conversations we need to have to triage an inventory and how we can turn an inventory into a budget and a roadmap.