01/10/2019

Think outside the box like an attacker would!

Hackers are constantly attacking IT infrastructures in new ways – whether in the industry or in the service and banking sector. So developers, managers and architects would do well to put themselves in the role of the attacker in order to identify the vulnerability of their products through a threat and risk analysis – and to correct the errors quickly.

The fact is that users of software, hardware and special IT solutions expect secure, reliable products. What sounds simple, however, is difficult to achieve in practice. On the one hand, products and solutions are becoming more complex – and thus more vulnerable – and on the other hand, attack patterns are becoming increasingly sophisticated. At the same time, the pressure is increasing: reporting on the successful misuse of software vulnerabilities has become a popular topic for the general public.

A threat and risk analysis to identify attack vectors

The TRA is part of a process for the development of secure software (Security Development Lifecycle) and is used to identify possible weak points and remedy them at an early stage through the appropriate measures.

What do I need? A workshop that takes place right at the beginning of a development process in order to put the architecture of the application on a firm footing.

How does a TRA workshop work?

Ideally, a TRA workshop is accompanied by a moderator and a security expert. Limes Security is ready to assist development teams if they want to find such an expert. In the medium term, however, at least one such expert should be located in each organizational unit of the company.
Everyone who comes into contact with the respective product or solution should take part in the workshop: From product managers, developers and architects to testers and service staff. The mix is important in order to introduce the different perspectives on the product or IT solution: Service staff, for example, contribute important practical experience. Guided by the security expert, the participants put themselves in the role of the attacker and ask themselves questions such as: “How can functions, interfaces or other aspects of the software be misused? This process, often referred to as threat modeling, is all the more valuable the more different experts take part – every new perspective helps to discover and eliminate previously unknown types of attack.

Limes Security recommends

If you are working on a new module, developing a new software or designing a special solution for your company, involve the security specialists from Limes Security. Call us today to arrange a non-binding meeting!