Building the Foundation with Application/Code Inventory (Activity 3.1.1)

In Zero Trust, applications are not just tools; they are often the direct conduits to your most valuable data and critical business functions. You cannot secure what you do not fully understand and identify. This brings us to Zero Trust Activity 3.1.1: Application/Code Identification. 

This activity is about creating a comprehensive, authoritative inventory of all approved applications and code being used across the DoD Components. This includes everything from open-source software and commercial off-the-shelf (COTS) products to internally developed applications. Beyond simply listing them, the activity mandates tracking crucial details: their supportability (e.g., actively maintained, legacy, end-of-life), hosted location (cloud, on-premises, hybrid), and vital record data such as name, version, responsible team, licensing, support details, and, importantly, mapped dependencies.

This activity is fundamental because it provides the necessary context for applying Zero Trust principles to applications and workloads. You can’t apply granular access policies, manage vulnerabilities, or secure your software supply chain without first knowing exactly what applications and code you have. 

The outcomes for Activity 3.1.1 highlight the structured approach to this inventory:

1. Component has identified applications and classified as either legacy, virtualized on-premises, and cloud hosted.
2. Applications and codes are tracked by vendor, version number, commercial name, and patch level.

The ultimate end state emphasizes the strategic value of this inventory: Develop an inventory to better support patch management and supply chain risk management increasing security by identifying unauthorized apps and identify security vulnerabilities. This ensures proactive defense based on comprehensive knowledge of your software assets.

Solutions for Application/Code Inventory (Activity 3.1.1)

Implementing Activity 3.1.1 requires leveraging application and software asset management tools and establishing processes to discover, categorize, and maintain information about all approved software assets. Organizations typically leverage a blend of enterprise platforms and specialized tools.

An integrated enterprise platform like ServiceNow often serves as a central hub and operational backbone for:

1. Software Asset Management (SAM) Platforms: While often focused on licensing and compliance, SAM tools are excellent for maintaining a detailed inventory of commercial software, tracking versions, vendors, and patch levels. They can discover installed software and map it to licensing agreements.
2. Application Portfolio Management (APM) Tools: APM tools focus on the business aspects of applications, helping organizations manage their entire application portfolio. They are key for tracking application ownership (responsible team), supportability (active, legacy, end-of-life), and hosted location (cloud, on-premises). They also often link to business capabilities and dependencies.
3. Configuration Management Database (CMDB): The CMDB serves as the central repository for all Configuration Items (CIs), including applications and code. Data from discovery tools, SAM, APM, and SCA should ultimately feed into the CMDB to provide a unified, authoritative inventory.

Specialized needs and tools may be required for:

4. Application Discovery Tools: These tools scan networks and endpoints to identify running applications and installed software. This helps to uncover authorized applications as well as potential “shadow IT” (unauthorized applications).
5. Software Composition Analysis (SCA) Tools: For in-house developed applications and those leveraging open-source components, SCA tools are vital. They scan source code, binaries, and dependencies to identify all open-source libraries used, their versions, known vulnerabilities (CVEs), and licensing information. This is critical for managing open-source supply chain risk.

Key Items to Consider:

• Comprehensive Discovery: The biggest challenge is often discovering all applications, especially shadow IT, legacy systems, and custom code in diverse environments (on-premises, hybrid, multi-cloud).
• Data Accuracy and Maintenance: Inventories are only useful if they are accurate and continuously updated. Establish processes for automated discovery and regular validation.
• Classification and Tagging: Develop a standardized taxonomy for classifying applications by hosting type, supportability, and other attributes to enable effective filtering and policy application.
• Ownership and Governance: Assign clear ownership for application data within the inventory and establish governance processes for approving new applications and managing their lifecycle.

For the Technical Buyer:

Zero Trust Activity 3.1.1 is the foundational step in applying Zero Trust principles to your application and workload layer. It’s about developing a comprehensive, accurate, and continuously updated inventory of all approved applications and code, complete with details on their type, location, and dependencies. For technical buyers, success here means investing in an integrated suite of Software Asset Management (SAM) and Application Portfolio Management (APM) that feed into a central CMDB, capable of discovering and tracking software assets across your diverse environments. This inventory is not just for auditing; it’s the intelligence layer that enables effective patch management, proactive vulnerability identification, and robust supply chain risk management. You cannot deny by default or apply granular controls to applications you don’t even know exist or fully understand.

Pillar: Application & Workload

Capability: 3.1 Application Inventory

Activity: 3.1.1 Application/Code Identification

Phase: Target Level

Predecessor(s): None

Successor(s): None