Penetration Testing, Secure Code Review, and Secure Design Review (Threat Modeling)

July 20, 2017 #security #codequality

Software Security Initiative Capabilities: Getting Started mentions three common security capabilities:

  • Penetration testing
  • Code review
  • Some sort of secure design review (e.g., threat modeling)

Tools can help some - Dynamic Analysis (DAST) for pen testing and Static Analysis (SAST) for code review - but don’t catch everything.

SAST vs DAST Security Defects Uncovered in Practice

However, there aren’t tools for secure design reviews, and this requires a subject matter expert (SME).  The threat modeling process involves documenting the architecture and diagraming the application to help to identify threats.  This same information would be needed by both secure code reviews and penetration testing later in the SDLC.

Related Links:

Kevin Hakanson

Multi-Cloud Certified Architect | DevSecOps | AppSec | Web Platform | Speaker | Learner | Builder
Twitter | LinkedIn | GitHub | Stack Overflow | Credly

© 2024 Kevin Hakanson (built with Gatsby)