Why Security Design Reviews are More Effective than Pentesting

Many companies rely on pentesting to achieve compliance and strengthen their security posture. However, pentesting alone cannot identify all of your application’s potential security issues.

Instead, it’s recommended to include Security Design and Security Code Reviews as part of an 4-stage Application Security Risk Assessment, which includes:

Most pentesters don’t perform Business Impact Assessments, which uses the likelihood and your business’s potential impact to establish risk, so you can allocate your efforts effectively. Instead, they rely on automated security scanners. While these tools can flag potential security issues, they lack the business context for accurately prioritizing them.

Every standalone or comprehensive service we offer includes a Business Impact Assessment to provide a more accurate triage and remediation recommendation.

Continue reading: The Importance of a Risk-Based Approach in Security Assessments

Security Design Reviews require skills that most pentesters do not possess

The reality is that Security Design Reviews require skills that most pentesters do not possess, such as a software development background with considerable experience. Notably, the OWASP’s Application Security Testing Guide states that there are four critical steps:

At Forward Security, we only hire ex-software developers who follow the OWASP’s ASVS.

We spend time reviewing the architecture, creating a blueprint like Oceans 11, formulate our attacks, then we go to pentesting.

We also offer our Eureka DevSecOps Service, which is all about providing the right people, process, and technology to ensure that the security is not a last-minute add-on but an integral part of the design.

A key strategy encouraged by OWASP is testing software before it’s fully developed and deployed, which significantly reduces the cost and effort of remediation post-deployment.

For comprehensive security, Design Reviews become crucial, testing the security implications of human factors, policies, and manual inspections, and incorporating technology decisions in architecture design. This requires rigorous documentation and in-depth interviews with designers and owners.

Manual inspections are another critical aspect of the testing process. It does not necessarily rely on technology but rather demands deep understanding, and thoughtful analysis, thereby unveiling security concerns that might not be visible on the surface.

Manual inspections are one of the least recommended ways to test software development lifecycle because it requires no supporting technology that can be applied to a variety of different things. It is flexible and promotes teamwork; however, disadvantages include time consumption, supporting materials are not always available, and it requires human thought and skill to be effective, which is not always there.

However, it is more effective than pentesting.

Pentesting can be fast, cheap, and require a much lower skill than code reviews or design reviews. The problem is that it’s done too late in the development life cycle. It also only tests the front impact, which does not dig deep.

Threat modelling gives you a practical attacker view of the system. It’s flexible and you can do it early.

For complete protection, we recommend doing all of them. Our 4-stage Application Security Risk Assessment combines all these elements, providing a service that includes:

The reason why most companies don’t offer this comprehensive approach is due to the lack of expertise. Many only have pentesters with limited skill sets who can’t perform code reviews or design reviews. Our service offers a holistic approach to application security, which aligns with OWASP’s recommendations.

Continue reading: The Power of Threat Modeling for Application Security

Go Beyond Pentesting

While pentesting has its place in the security lifecycle, it should not be relied upon as the sole method of ensuring application security. A more comprehensive approach that includes design reviews, threat modelling and code reviews will provide a more robust and secure application environment.


Listen and Subscribe to the AppSec Insiders Podcast

The AppSec Insiders is a fun and casual exploration into all things application security. If you haven’t already subscribed, check it out wherever you listen to podcasts.