Synopsys Software Integrity Group is now operating as Black Duck Software, Inc., a subsidiary of Synopsys. Click to learn more.

close search bar

Sorry, not available in this language yet

close language selection

Architecture Risk Analysis

Course Description

Architecture Risk Analysis (ARA) is a set of techniques that aims to discover design flaws and the risks they pose within a system. ARA does not replace other analysis techniques such as penetration testing and code review; it complements those techniques. Once you learn the techniques discussed in this course, you will have the skills needed to identify design-level defects — even if the system being analyzed has been pen-tested, code-reviewed, and released.

Learning Objectives

  • Explain to others why a technique like ARA is required to have secure software
  • Learn the different types of analyses that are used when performing Architecture Risk Analysis
  • Identify the kind of output that is needed or expected when performating Architecture Risk Analysis

Details

Delivery Format: eLearning

Duration:  1 hour 30 minutes

Level: Advanced

Intended Audience:

  • Architects
  • Back-End Developers
  • Front-End Developers
  • QA Engineers

Prerequisites: 

Course Outline

ARA Overview

  • What Is ARA?
  • When Do You Perform ARA?
  • Indicators ARA Is Necessary
  • Ongoing ARA

Design Flaws and the Techniques That Find Them

  • Bugs vs. Flaws
  • Examples of Security Flaws at Design Level
  • Is There a Tool for That?
  • Analysis Types for ARA

ARA Output

  • What Do You Get?
  • Who Uses It?
  • Following Up with Secure Design

Dependency Analysis

  • Dependency Analysis Overview
  • Analyzing an Application’s Environment and Considerations
  • Illuminate Interfaces and Contracts
  • Base Security Controls and Limitations

Known Attack Analysis

  • What Is Known Attack Analysis?
  • Applying Principles
  • Commonly Discovered Flaws
  • Build an Attack Checklist
  • Build a List of Security Controls Common to Design Patterns
  • Connections Between Architectural Elements
  • Pay Close Attention to Dynamic Code Generation and Interpretation
  • APIs Across Stateless Protocols

System-Specific Analysis

  • Business Relation
  • Discovering Intentions
  • Trust
  • The Problem with Trust
  • Software Security Modeling Techniques
  • Trust Modeling
  • Data Sensitivity Classification
  • Threat Modeling

Guiding Principles for ARA

  • Secure the Weakest Link
  • Storing Secrets Is Hard
  • The Principle of Least Privilege
  • Fail and Recover Securely
  • Compartmentalize
  • Promote Privacy
  • Keep It Simple
  • Mediate Completely
  • Separation of Duties
  • Make Security Usable

Models of an ARA System

  •  ARA Models Overview
  • Component Diagram
  • ·Threat Model Diagram

Documenting ARA Findings

  • What Is a Traceability Matrix?
  • Traceability Matrix
  • Documenting Technical Risks
  • Customer Credentials Sent to Browser for Support Functionality
  • Customer Credentials -  Findings
  • Documenting Observations

Security Testing

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster