Can anybody suggest how to approach Annual Security Architecture/design review (only Design/Architecture not implementation or VAPT ) of a web application which is not having any proper documentation for Security activities.
When I think about it... it's requires Threat Modeling and Risk Assessment... but it's overwhelming and I would like to get some pointers where to start , what needs to be covered..etc..
Start with an assessment of the application. You will identify threats and weaknesses, Translate that into a roadmap of the target state. You cannot boil the ocean so pick the items that pose the greatest risk as your priority items.
To me, a quick start in those situations is to get answers about the most common pitfalls I found when working with developers who did not care about Security: - Authentication: How it interacts with users and other applications. - Credentials: How are stored. - Storage: How does it persist changes. What security controls are applied. - Data flow. I'm talking about quick wins. Of course you are right and a threat modeling and risk assessment are how things should be accomplished, there are so many additional areas to be covered (for example environment, deployment) but sometimes is overwhelming and a simple document can serve as a starter.
You can start with the principle aligned with your organization's objectives. Principles like Single Identity, Security Monitoring, Data Security and etc. You can then assess if the architecture/ design complies with those principles. This will be a continuous process and will get refined over a period of time but you need to start from somewhere and take the feedback for relevant stakeholders and improve.