Take 15 minutes to uncover your high-risk vulnerabilities
Methods for assessing software security risk fall into two broad types:
- Modeling: Understanding the risks the application may conceptually be vulnerable to. It includes threat modeling, threat risk analysis, architectural assessments, framework-level analysis, and software security requirements gathering.
- Vulnerability Assessments: Finding specific instances of said risks in their software, often as a mechanism to “prove” the software is secure to an auditor or customer. This usually involves manual and/or automated static / dynamic testing. Craig Wright has a detailed discussion of assessment types in his paper here.
We sometimes hear organizations say they aren’t ready for a software security requirements program because they are still struggling with deploying vulnerability assessments. The thinking goes that an organization needs to first find out where its real vulnerabilities are before it can focus on modeling exercises that will prevent defects later on.
We don’t agree with this logic. Pen tests are time-consuming and do not necessarily provide sufficient coverage for software weaknesses.
Assessments, and testing in general, are imperative to building secure applications. However, they’re more efficient when they follow a modeling exercise. By knowing potential security weaknesses in your software ahead of time, you have a chance to address the issues early on and use assessments as a validation tool. The de-facto way organizations perform assessments like penetration testing today is to learn about their security issues after building the application, which is inefficient.
One common criticism is the perceived overhead of modeling activities. Development teams are often worried about spending days coming up with generic “best practice” information to secure their applications, when they could instead spend time finding real vulnerabilities to fix. This is a fair criticism.
Security requirements are different. With a good security requirement system, you can determine the relevant threat to your applications in 15 minutes. We’ve had several customers accurately predict the results of manual & automated penetration testing and code review with just 15 minutes of modeling (i.e. answering questions about how their application works). In other words they were able to know all of the vulnerabilities identified by the assessments, and even some the assessments could not catch, with just 15 minutes of work. Over a broad sample of data, we’ve seen that security requirements can accurately predict 97% of application security vulnerabilities found in penetration testing.
If you can spare 15 minutes for each application release to know your security vulnerabilities ahead of time, it’s worth getting started with a security requirements program.