Thursday, December 18, 2014

How Threat Modeling can help in Code Reviews

Threat modeling will identify high-risk areas of the system that receive the majority of threats. These areas are often good candidates for directed code reviews and typically include components such as protocol parsers, access control components and session management mechanisms. High-risk areas typically interface with an external entity or deal with data in flexible formats.

Line-by-line code reviews of these high-risk areas are important because an area with large number of threats typically has complicated security requirements. Therefore, analyzing the code for design inconsistencies or insecure coding practices can yield subtle vulnerabilities that other wise would be missed.

No comments: