Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Contributor II

Security Architecture Reviews

Hi InfoSec community,


Can anybody suggest how to approach Annual Security Architecture/design review (only Design/Architecture not implementation or VAPT ) of a web application which is not having any proper documentation for Security activities.

When I think about it... it's requires Threat Modeling and Risk Assessment... but it's overwhelming and I would like to get some pointers where to start , what needs to be covered..etc..


Thank you.



Mouli, CISSP
2 Replies
Viewer II

Start with an assessment of the application. You will identify threats and weaknesses, Translate that into a roadmap of the target state. You cannot boil the ocean so pick the items that pose the greatest risk as your priority items.
Newcomer I

To me, a quick start in those situations is to get answers about the most common pitfalls I found when working with developers who did not care about Security:
- Authentication: How it interacts with users and other applications.
- Credentials: How are stored.
- Storage: How does it persist changes. What security controls are applied.
- Data flow.
I'm talking about quick wins. Of course you are right and a threat modeling and risk assessment are how things should be accomplished, there are so many additional areas to be covered (for example environment, deployment) but sometimes is overwhelming and a simple document can serve as a starter.

Luis. Security Engineer, IT Manager.