Architectural Security Reviews

When it comes to conducting a security review of an application architecture (aka design review) there are basically two major terms that are often referenced. First the software-centric Threat Modeling approach by Microsoft. Second, one suggested by Gary McGraw that is known as Architectural Risk Analysis.

Although  both approaches seem to be rather different at first sight, since then uses the term "threat" and the other "risk", they are actually pretty comparable. Since threat Modeling is in fact often a risk review to. When it is combined with risk assessment metrics like DREAD for instance, we end up with a list of qualitative risks.

So, when secure SDLCs are described, you will generally find one (but only one) of both terms be used for describing a security design review.

I expierenced, however, that there is need for another approach. Less comprehensive and more focused on functional security such as the correct use of specific security controls like authorization, authentication, validation and cryptography. This approach could, of course, easily integrated into or combined with an existing threat model or other kind of architectural analysis results.

I was pretty much inspired here, when I first saw a presentation by John Steven on "Advanced Threat Modeling" a couple of years ago. He used a mix of different visualization techniques to describe characteristics and problems within the application architecture in a very perspicuous way.

Since then I used some of his ideas extensively to visualize architectural security in various projects. Not to conduct a complete threat modeling activities in most cases, but to use a straightforward approach to sketch and discuss the architecture of a piece of software and to outline basic problems and characteristics within it so does everybody can understand it quickly. I call this activity usually Architectural Security Review to distinguish it from "Architectural Risk Analysis".

Here is a very simple example:

The diagram above outlines a very high-level three tier architecture with an Apache frontend and some backend systems as well as three different actors. The red dotted lines mark trust boundaries the red boxes security controls or security problems. Since some aspects are very importand to visualize in much greater detail, we use hybrid diagrams here, showing different level of detail.

I usally work with a bunch of different hybrid diagramms to visualize different kinds of security attributes like identity flows, data handling (including the crypto architecture) or views on it, respectively.

Especially on agile projects, these kind of activity turned out to be really useful since it can be adapted very quickly and give all existing as well as new project members a quick understanding on the security architecture. And one of the the great advantages of this approach: To have something everybody can understand and perhaps agree on.

In the next couple of weeks I will introduce some of these techniques here in this blog. I will show that we can visualize even very complex archichitectural characteristics in a rather simplictic and perspicuous way.