The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Years of experience has taught us that half the software defects that create security problems are flaws in design. Simply testing software for security bugs within lines of code, or penetration testing your applications ignores half the problems that leave your organization vulnerable to attack.

Support no longer where you are in the SDLC

Get support no matter where you are in the SDLC

An architecture risk analysis (ARA) is a comprehensive design review that enables you to determine your systems adherence to secure design principles. Security defects can be detected and resolved earlier in the software development life cycle (SDLC), which is less expensive, invasive, and time-consuming than waiting until code is written or QA tests are performed. However, even if your system is already built or deployed, an ARA can be immensely valuable because an application’s functionality and attack vectors are in a constant state of evolution.

Expose and remediate the other 50% of defects hiding in your system design

By addressing security in your design, you can architect common, recurring software defects out of your code. Here is what an ARA provides.


Threat modeling

THREAT MODELS INCLUDE

  • Assets prioritized by risk
  • Threats prioritized by likelihood
  • Attacks most likely to occur
  • Current countermeasures likely to succeed or fail
  • Remediation measures to reduce the threats

Threat modeling
Analyze your security risks by thinking like a hacker.

Threat modeling identifies the types of threat agents that cause harm. It adopts the perspective of malicious hackers to see how much damage they can do. We look beyond the typical canned list of attacks to think about new or previously unconsidered attacks.

Avoid four security sinkholes with threat modeling

Threat modeling defines your entire attack surface. It can identify

  • Threats that exist beyond predetermined lists of common attacks. Standard attacks don’t always pose a risk to your system. Perform threat modeling to identify attacks that are unique to how your system is built.
  • Where threat agents exist relative to the architecture. Model the location of threat agents, motivations, skills, and capabilities to identify where potential attackers are positioned in relation to your system’s architecture.
  • Ways to keep frameworks ahead of internal or external attackers relevant to your applications.
  • Components that need additional protection. Highlight assets, threat agents, and controls to determine which components attackers are most likely to target.

 

We adjust to fit your needs

We recognize that every organization has a different risk profile and tolerance, so we tailor our approach to your needs and budget. Our holistic approach consists of two essential steps.

  1. We review the system’s major software components, security controls, assets, and trust boundaries.
  2. We then model those threats against your existing countermeasures and evaluate the potential outcomes.

Secure design review
Find out if your application's architecture and infrastructure align with business practices.

The Black Duck knowledgebase consists of relevant best practices along with a questionnaire for developers and security champions. API security, OAuth 2.0, OpenID and JWT security are just a few examples of panels.

How well do your security controls align with industry best practices?,

We evaluate the design of your key security controls against industry best practices to determine if any are misconfigured, weak, misused, or missing.

Don't let flaws fall through the cracks

Our experts review up to 11 key security controls to find system defects that aren’t found through activities such as pen testing, DAST, or SAST.

We provide the bridge between testing and remediation

At the end of each assessment, we will conduct a read-out call with the appropriate development team to review each vulnerability identified during the assessment, answer any questions that the team might have around each vulnerability, and discuss mitigation/remediation strategies.