Software Security Touchpoints

1. Code review (Tools)

2. Architectural risk analysis.

3. Penetration testing.

4. Risk-based security testing.

5. Abuse cases (thinking like an attacker).

6. Security requirements.

7. Security operations (not only at software level).

Architectural Risk Analysis

Similar to Threat Modelling

Designers and architects provide a high-level view of the target system and documentation for assumptions and identify possible attacks.

McGraw proposes 3 main steps for risk analysis:

• Attack resistance analysis (explore known threats).

• Ambiguity analysis (discover new risks).

• Weakness analysis (explore 3rd party assumptions).