An enterprise organization might have tons of applications designed and built for serving various business purposes. The applications may be small or complex and could be built using various technologies. Now, when it's time to design and implement an enterprise-wide application security program, it really becomes crucial to decide upon the priority for assessment. There might be 100 applications in all; however due to limited resources, it may not be possible to test all 100 of them within the specific duration. This is when application profiling comes handy.

Application profiling involves classifying applications into various criticality groups such as high, medium, and low. Once classified, an assessment priority can then be decided on, based on the group the application belongs to. Some of the factors that help to classify the applications are as follows:

• What is the type of application (thick client or thin client or mobile app).
• What is the mode of access (internet/intranet).
• Who is the users of the application?
• What are the approximate number of users using the application?
• Does the application contain any business-sensitive information?
• Does the application contain any Personally Identifiable Information (PII)?
• Does the application contain any nonpublic information (NPI)?

• Are there any regulatory requirements pertaining to the application?
• What is the time duration for which the application users can sustain in case of unavailability of the application?

The answers to the preceding questions can help classify the applications. Application classification can also help in effectively scoring vulnerabilities.