cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Security Architecture Reviews

Hi InfoSec community,

 

Can anybody suggest how to approach Annual Security Architecture/design review (only Design/Architecture not implementation or VAPT ) of a web application which is not having any proper documentation for Security activities.

When I think about it... it's requires Threat Modeling and Risk Assessment... but it's overwhelming and I would like to get some pointers where to start , what needs to be covered..etc..

 

Thank you.

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
3 Replies
BadIdea
Viewer II

Start with an assessment of the application. You will identify threats and weaknesses, Translate that into a roadmap of the target state. You cannot boil the ocean so pick the items that pose the greatest risk as your priority items.
luisantonio
Newcomer I

To me, a quick start in those situations is to get answers about the most common pitfalls I found when working with developers who did not care about Security:
- Authentication: How it interacts with users and other applications.
- Credentials: How are stored.
- Storage: How does it persist changes. What security controls are applied.
- Data flow.
I'm talking about quick wins. Of course you are right and a threat modeling and risk assessment are how things should be accomplished, there are so many additional areas to be covered (for example environment, deployment) but sometimes is overwhelming and a simple document can serve as a starter.

Luis. Security Engineer, IT Manager.
rahul28
Viewer

You can start with the principle aligned with your organization's objectives. Principles like Single Identity, Security Monitoring, Data Security and etc. You can then assess if the architecture/ design complies with those principles. This will be a continuous process and will get refined over a period of time but you need to start from somewhere and take the feedback for relevant stakeholders and improve.  

 

Thanks!!

Rahul Sharma