Security Process: "The How to" of Threat Modeling and Security Code Reviews

In a previous blog, I mentioned that Security is process and not a product.  Part of that process it to conduct a Security Code Review, however, today's Applications are becoming much more complicated, are distributed over numerous Servers and much larger in terms of lines of code.  Thus, it is not always feasible to do a complete Security Code Review of tens of thousands lines of code. 


In today’s fast pace business environment, applications project timelines are being decreased; and more and more pressure is on getting the application into production in a timely manner, without comprising Security.  This is a tall order, but threat modeling and Security Code Review actually go hand-in-hand and fit nicely into the Security process.  These two techniques can be incrementally added to your software development lifecycle and when used properly it provides a nice comprise between Security and Business pressures.


First, we need a mechanism to pinpoint the code that processes certain functions that are more vulnerable to Security breaches.  For example, when you have data flowing from Anonymous users to a process in a trusted environment this would be a prime candidate for a Security Code Review.  This is where threat modeling becomes extremely important as one of key steps of conducting a threat model is to create data flow diagrams.  For a complete overview on how to conduct a threat model for a Web Application visit the following link:


With a completed threat model and priorities set on where to conduct the Security Code Review the next question is “how to I conduct a solid Security Review”?  Recently on MSDN a “How to” module was release describing both the benefits and the process of conducting a Security Code Review on your .Net Framework 2.0 Applications.


In summary, these two functions fit hand-in-hand as part of any security process in the software development lifecycle.  Both of these articles provide a lot of value to any security process but they truly need to be done in conjunction with one another for maximum benefits.