Architectural Risk Analysis (ARA) is a key component of Risk Management Framewor.
Architectural Risk Analysis (ARA) is a key component of Risk Management Framework (RMF). One of the reasons is because 50% of security problems come from design flaws, which can be mitigated to a reasonable degree through a solid ARA, among other things. It is a process whereby you start at more of 10,000 foot view. An example given in the book pgs 151/152 was a financial application that ran a firm of 100 employees, yet only one person in the entire organization knew how it really worked. To mitigate risk, a forest-level view and relevant documentation was created to begin the ARA, before drilling down and prioritizing other risks.
There are three main steps (sub-processes) in the ARA:
1) Attack resistence analysis: using information of known attacks, patterns, vulernabilities based on similar systems and black-hat capabilities know today; how will the system fare given this knowledge?
2) Ambiguity analysis: trying to find new risks (typically 2 analysis with lots of experience); they will do their own analysis activities in parallel and then come back together to compare and decide what their finaly analysis and recommendations are for risks/concerns/gaps, together
3) Weakness analysis: are there any external software dependencies; what about outside code, middleware, distributed systems/code, etc.? This process looks for the weakest links based on these external linkages with off-the-shelf software, frameworks, network topologies, physical environments housing systems, etc.; this is difficult and considered “weakness” because some of this will be somewhat outside your control for security and risk management, but should still be known and documented and the business should still be advised on known weaknesses.
Having a solid ARA process regularly in place as part of your RMF and SDLC will mitigate overall risk in your projects, saving the company time and money. There should be fewer security breaches. You will be fostering very good documentation. You will have good summaries (forest-level) of your risks that can more easily be consumed by non-technical people.