An architectural risk assessment is not a penetration test or merely a vulnerability scan. It is an engineering process with the aim of understanding, defining, and defending all the functional output from customers, line workers, corporate staff, and client-server interactions. Architectural risk assessments include ethical hacking, source code review, and the formation of a new network design.
As Fred Donovan wrote in the Cutter Consortium Executive Update, Architectural Risk Assessment: Matching Security Goals to Business Goals, “Performed correctly, [an architectural risk assessment] will empower the technology staff and enable the business to focus less on security and more on customers.”
According to Donovan, the first step of an architectural risk assessment is to conduct interviews with line workers — the people who interact daily with customers. These line workers who know many of the issues — without understanding the technical details — that may negatively affect customer interaction with a running application. This knowledge will benefit the redesign of the network architecture.
Next, says Donovan, are interviews with technical staff. The information gleaned here will build the foundation for new or modified diagrams of the architecture. “From these interviews, ensure that you receive the current design documents and use a joint application design session to flush out any of the missing details.”
The final interviews are with management. Your objective is to have management communicate the business goals, which will then be matched up with security goals.
Use all of these interviews to gather requirements in the same way as if you were developing a product for the first time — the difference being that this new product will encompass the entire corporate architecture. The corporate architecture includes all software used internally or externally by staff and customers; all hardware components used to process, store, or transmit data; and each API used to connect the corporation to various servers and external partners.”
For More Insight on Architectural Risk Assessments:
Cutter Consortium Research: Cutter clients can read the full Executive Update, Architectural Risk Assessment: Matching Security Goals to Business Goals to get much for advice from Fred Donovan.
Discover some sample security principles in Risk Assessment Gets to the Bottom of Security Basics.