Vulnerability Management & Risk Scoring for Business Services

In the rapidly evolving FinTech sector, PhonePe Private Limited, an India-born leader in financial services, stands out for its innovative range of products and services. Offering everything from UPI transactions and bill payments to stock market investments, personal finance management, and merchant payment solutions, PhonePe caters to millions of consumers and businesses. The platform is central to India’s digital financial ecosystem with billions of daily transactions.

However, the financial sector also attracts significant attention from cybercriminals, making security a top priority. With over 18 customer-facing applications, including mobile and web platforms, managing security risks and vulnerabilities is critical to safeguarding not only PhonePe’s business but also its customers and partners and overall abiding by critical regulatory security controls. Given the high stakes involved, PhonePe recognised the need to implement a robust application security and risk management framework to address emerging threats and ensure compliance across its tech stack.

The risk & vulnerability management solution

PhonePe’s Application Security Team recognised the necessity of building a scalable, business-driven application risk-scoring model to manage security vulnerabilities efficiently. To this end, they developed the **POD Security Score (PSS)** — a comprehensive risk scoring model designed to assess individual applications’ security posture and the broader business services they support.

The goal of the PSS model was twofold: 

1. Standardise and provide a consistent approach to reporting application security risks.

2. Integrate business impact into security assessments, aligning technical vulnerabilities with business priorities.

In collaboration with Brinqa and their Risk & Vulnerability Management solution, PhonePe implemented a unified risk analytics platform to track, analyse, and score vulnerabilities across its ecosystem. The platform provided the necessary framework for collecting, analysing, and storing data from various sources, such as penetration testing results (manual and automated), static code analysis, custom (open-source) scan results, and vulnerability management systems. Importantly, it enabled the team to factor in business context—such as the criticality of the application and the associated business services—when evaluating risk.

Use Case

The primary objective for PhonePe was to bolster the security of its critical applications and services, which are integral to the company’s core business operations. The team needed to understand the impact of security vulnerabilities on its technology stack and identify the most urgent areas for remediation. 

Before adopting a risk & vulnerability management solution, PhonePe relied on a legacy, homegrown asset management system and CMDB (Change/Configuration Management Database). However, this system lacked the ability to provide a clear context for security vulnerabilities, leaving many critical issues unattended. There was no cohesive way to prioritise vulnerabilities based on their potential business impact, and security risks were often assessed in isolation without considering the business function they impacted.

PhonePe realised that a more structured and business-contextualized approach was necessary to manage vulnerabilities effectively. Thus, we created a risk-scoring system that aligned the severity of security issues with the value of the business applications they affected.

How PhonePe Implemented Risk & Vulnerability Analytics

PhonePe’s Application Security Team collaborated with Brinqa to leverage its advanced risk analytics and prioritisation features to implement a tailored risk management system successfully. Here’s how the implementation unfolded:

1. Categorization and Enrichment of Vulnerabilities:

The first step involved categorising vulnerabilities and adding relevant attributes to the existing CMDB (Change/Configuration Management Database). This enabled a more nuanced understanding of each vulnerability, including:

– Severity: How critical the vulnerability is based on the CVSS (Common Vulnerability Scoring System) score.

– Business Impact: The potential impact of a vulnerability on business operations, customer trust, and financial transactions.

– Likelihood: The probability of a vulnerability being exploited.

– Remediation Steps: Clear actions and timelines for addressing vulnerabilities.- Service-level Agreement Status: SLA timelines and reflecting SLA status for each security vulnerability leading to an overall SLA status of a business service.

By tagging vulnerabilities with business-relevant attributes, PhonePe was able to give developers and security teams a more complete picture of the risks they were facing. Vulnerabilities could now be assessed not only based on technical severity but also in terms of their potential business impact.

2. Integrating Multiple Data Sources:

PhonePe also integrated data from a variety of security testing tools and sources, including:

– Static Code Analysis: Scanning code repositories for security flaws before deployment.

– Penetration Testing: Simulating real-world attacks to identify exploitable weaknesses in applications.

– Open-Source & Custom Security Scanners: Customised scans (static & dynamic) of applications and their APIs.- Governance, Risk, and Compliance (GRC) Frameworks: Tracking security controls, policies, and exceptions to cater to regulatory audits.

This integration allowed PhonePe to gather comprehensive security data from disparate systems and bring it into a single platform, providing a holistic view of the organisation’s security posture.

3. Risk Scoring with Business Context:

One of the most innovative aspects of the project was PhonePe’s introduction of business context into the risk-scoring process. Each application was scored based on its:

– Criticality to Business: How important the application is to PhonePe’s daily operations and customer transactions.

– Inherent Risk: The baseline level of risk associated with an application based on its design, architecture, and data sensitivity.
These business-driven attributes were combined with technical risk assessments to generate a POD Security Score (PSS). The PSS reflects the severity of vulnerabilities and indicates the level of business impact, helping security teams and business owners understand which issues require the most urgent attention.

4. Tailored Custom Data Models and Risk Analytics:

The implementation involved creating custom data models within the Risk & Vulnerability Management platform, tailored to PhonePe’s specific business terms and nomenclature. This customisation ensured that data from multiple sources—such as security scans and vulnerability reports—could be ingested and analysed seamlessly.
The solution also employed its correlation engine to provide advanced risk analysis, aggregating data from different sources to comprehensively view the organisation’s overall risk. This was supported by quantitative risk scoring that considered various factors, such as risk weights, thresholds, and data normalisation.

5. Interactive Dashboards and Reporting:

PhonePe’s vulnerability management team created interactive dashboards using the solution, which allowed business owners and security teams to:

– Track and compare risk scores for different applications and business services.

– Visualize risk metrics in real-time, enabling quick decision-making and prioritisation of resources.

– Foster competition and accountability by allowing different teams to compare their security risk scores, promoting healthy competition to improve security outcomes.

The dashboards provided easy-to-understand insights shared with key stakeholders, including executives, business owners, and developers. Regular reporting ensured that vulnerabilities were constantly monitored, tracked, and addressed.

Results and Outcomes

By implementing a risk analytics platform, PhonePe achieved several key outcomes:

– Holistic View of Application Risk: Integrating business context with technical vulnerability data provided a comprehensive view of risk across the organisation. This helped the team prioritise vulnerabilities based on their technical severity and impact on the business.

– Improved Risk Prioritization: The custom risk models and scoring systems allowed PhonePe to prioritise vulnerabilities aligned with the organisation’s business priorities, ensuring that the most critical risks were addressed first.

– Enhanced Collaboration: By creating custom dashboards and reporting mechanisms, PhonePe facilitated better collaboration between security teams, developers, and business owners, ensuring that everyone had access to the information they needed to take action.

– Data-Driven Decision Making: With detailed risk metrics and “what-if” analysis, PhonePe could make data-driven decisions about resource allocation, remediation strategies, and risk mitigation planning.
– Increased Security Posture: Overall, the initiative helped PhonePe significantly improve its security posture, reducing the likelihood of breaches and ensuring its applications and business services remained secure, compliant, and resilient.

In an industry where security is paramount, PhonePe’s implementation of an application risk and vulnerability management framework allowed the company to move from a reactive, siloed approach to a proactive, business-contextualized model for managing application risk. The POD Security Score (PSS) ‘s success and integration into the broader business strategy demonstrates the power of combining technical security measures with business-driven decision-making, ensuring that PhonePe’s digital ecosystem remains secure despite constantly evolving threats.