Threat Modeling vs. Pentesting
by Wouter Avondstondt
Posted on
Posted in AdviseThreat ModelingToreon all

Written by Wouter Avondstondt

This article explains the difference between Threat Modeling and Penetration Testing. It is the third article in a series about Threat Modeling.

Intro to Threat Modeling part 3

Threat Modeling vs. Pentesting

Eric Baize (Head of Product & Application Security at Dell and Chairman of SAFECode) once tweeted: “Using penetration testing as your only software security strategy is like using pregnancy tests for contraception”. You know by now (at least if you read my previous articles) that Threat Modeling is the way to do security-by-design.

This of course doesn’t mean penetration tests are not necessary – they definitely are! But they serve a different purpose. Looking at three dimensions, we can explain what the differences are between Threat Modeling and penetration testing:

  • Timing: Threat Modeling is preferably performed during the design phase of the system (although it is never too late to do it). Penetration testing is done during development or at least just prior to release (please don’t release first and then test on production).
  • Objectives: Threat Modeling prevents or manages design flaws from a ‘white box’ perspective. Pentesting tests the actual application’s resilience – usually from a black box perspective
  • Outcome: Threat Modeling leads to a list of design changes to consider, pentesting generates a list of bug fixes. Both expose risk which begs for risk management measures.

So what’s the difference between design flaws and bugs?

Design flaws are errors in design. They arise from a lack of security requirements (bad design), a lack of secure design knowledge (bad designer). To understand these flaws, you need contextual knowledge. That’s what you learn during a Threat Modeling workshop.

Bugs are coding errors. The design might be good, but accidental errors (bad code) or a lack of secure coding practices (bad coders) can lead to vulnerabilities.

Threat Modeling won’t expose coding errors. Pentesting won’t show design flaws. We need both tools in our toolbox.

In my next post we will see how Threat Modeling and pentesting work to make each other better..

Read my previous posts ‘What is Threat Modeling?‘ and  ‘9 benefits of Threat Modeling’ .

Start typing and press Enter to search

Shopping Cart