https://community.isc2.org/t5/Tech-Talk/Security-Architecture-Reviews/m-p/51648#M3554 <P>You can start with the principle aligned with your organization's objectives. Principles like Single Identity, Security Monitoring, Data Security and etc. You can then assess if the architecture/ design complies with those principles. This will be a continuous process and will get refined over a period of time but you need to start from somewhere and take the feedback for relevant stakeholders and improve.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thanks!!</P><P>Rahul Sharma</P> Tue, 21 Jun 2022 06:02:53 GMT rahul28 2022-06-21T06:02:53Z https://community.isc2.org/t5/Tech-Talk/Security-Architecture-Reviews/m-p/47897#M3315 <P>Hi InfoSec community,</P><P>&nbsp;</P><P>Can anybody suggest how to approach <STRONG>Annual Security Architecture/design review (only Design/Architecture not implementation or VAPT )</STRONG> of a web application which is not having any proper documentation for Security activities.</P><P>When I think about it... it's requires Threat Modeling and Risk Assessment... but it's overwhelming and I would like to get some pointers where to start , what needs to be covered..etc..</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 15 Oct 2021 17:26:36 GMT https://community.isc2.org/t5/Tech-Talk/Security-Architecture-Reviews/m-p/47897#M3315 iluom 2021-10-15T17:26:36Z https://community.isc2.org/t5/Tech-Talk/Security-Architecture-Reviews/m-p/47912#M3320 Start with an assessment of the application. You will identify threats and weaknesses, Translate that into a roadmap of the target state. You cannot boil the ocean so pick the items that pose the greatest risk as your priority items. Sun, 17 Oct 2021 19:25:58 GMT https://community.isc2.org/t5/Tech-Talk/Security-Architecture-Reviews/m-p/47912#M3320 BadIdea 2021-10-17T19:25:58Z https://community.isc2.org/t5/Tech-Talk/Security-Architecture-Reviews/m-p/47982#M3323 To me, a quick start in those situations is to get answers about the most common pitfalls I found when working with developers who did not care about Security:<BR />- Authentication: How it interacts with users and other applications.<BR />- Credentials: How are stored.<BR />- Storage: How does it persist changes. What security controls are applied.<BR />- Data flow.<BR />I'm talking about quick wins. Of course you are right and a threat modeling and risk assessment are how things should be accomplished, there are so many additional areas to be covered (for example environment, deployment) but sometimes is overwhelming and a simple document can serve as a starter.<BR /><BR />Luis. Security Engineer, IT Manager. Wed, 20 Oct 2021 07:24:15 GMT https://community.isc2.org/t5/Tech-Talk/Security-Architecture-Reviews/m-p/47982#M3323 luisantonio 2021-10-20T07:24:15Z https://community.isc2.org/t5/Tech-Talk/Security-Architecture-Reviews/m-p/51648#M3554 <P>You can start with the principle aligned with your organization's objectives. Principles like Single Identity, Security Monitoring, Data Security and etc. You can then assess if the architecture/ design complies with those principles. This will be a continuous process and will get refined over a period of time but you need to start from somewhere and take the feedback for relevant stakeholders and improve.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thanks!!</P><P>Rahul Sharma</P> Tue, 21 Jun 2022 06:02:53 GMT https://community.isc2.org/t5/Tech-Talk/Security-Architecture-Reviews/m-p/51648#M3554 rahul28 2022-06-21T06:02:53Z