SECURITY ARCHITECTURE CHEAT SHEET Which third‐parties process the application’s data? What network and system security monitoring
requirements have been defined? FOR INTERNET APPLICATIONS What mechanisms are used to share data with third‐ This cheat sheet offers tips for the initial design and parties besides the application itself? Virtualization and Externalization review of an application’s security architecture. What security requirements do the partners impose? What aspects of the application lend themselves to virtualization? #1: BUSINESS REQUIREMENTS Administrators Who has administrative capabilities in the What virtualization requirements have been defined Business Model for the application? application? What is the application’s primary business purpose? What aspects of the product may or may not be What administrative capabilities does the application How will the application make money? offer? hosted via the cloud computing model? What are the planned business milestones for Regulations #3: APPLICATION REQUIREMENTS developing or improving the application? In what industries does the application operate? Environment How is the application marketed? What security‐related regulations apply? What frameworks and programming languages have What key benefits does the application offer users? What auditing and compliance regulations apply? been used to create the application? What business continuity provisions have been What process, code, or infrastructure dependencies defined for the application? #2: INRASTRUCTURE REQUIREMENTS have been defined for the application? What geographic areas does the application service? Network What databases and application servers support the What details regarding routing, switching, application? Data Essentials firewalling, and load‐balancing have been defined? What data does the application receive, produce, Data Processing and process? What network design supports the application? What data entry paths does the application support? How can the data be classified into categories What core network devices support the application? What data output paths does the application according to its sensitivity? What network performance requirements exist? support? How might an attacker benefit from capturing or What private and public network links support the How does data flow across the application’s internal modifying the data? application? components? What data backup and retention requirements have Systems What data input validation requirements have been been defined for the application? What operating systems support the application? defined? End‐Users What hardware requirements have been defined? What data does the application store and how? Who are the application’s end‐users? What details regarding required OS components and What data is or may need to be encrypted and what How do the end‐users interact with the application? lock‐down needs have been defined? key management requirements have been defined? What security expectations do the end‐users have? Infrastructure Monitoring What capabilities exist to detect the leakage of Partners What network and system performance monitoring sensitive data? Which third‐parties supply data to the application? requirements have been defined? What encryption requirements have been defined Which third‐parties receive data from the What mechanisms exist to detect malicious code or for data in transit over WAN and LAN links? applications? compromised application components?
Authored by Lenny Zeltser, who leads the security consulting practice at Savvis and teaches at SANS Institute. You can find him on Twitter. Special thanks to Slava Frid for feedback. Page 1 of 2.
Creative Commons v3 “Attribution” License for this cheat sheet version 1.2. See Lenny’s other cheat sheets. Page 2 of 2 Access What staging, testing, and Quality Assurance What secure coding processes have been What user privilege levels does the application requirements have been defined? established? support? Corporate #4: SECURITY PROGRAM REQUIREMENTS What user identification and authentication What corporate security program requirements have Operations been defined? requirements have been defined? What is the process for identifying and addressing What user authorization requirements have been vulnerabilities in the application? What security training do developers and defined? administrators undergo? What is the process for identifying and addressing What session management requirements have been vulnerabilities in network and system components? Which personnel oversees security processes and defined? requirements related to the application? What access to system and network administrators What access requirements have been defined for URI have to the application’s sensitive data? What employee initiation and termination and Service calls? procedures have been defined? What security incident requirements have been What user access restrictions have been defined? defined? What application requirements impose the need to How are user identities maintained throughout enforce the principle of separation of duties? How do administrators access production transaction calls? infrastructure to manage it? What controls exist to protect a compromised in the Application Monitoring corporate environment from affecting production? What physical controls restrict access to the What application auditing requirements have been application’s components and data? What security governance requirements have been defined? defined? What is the process for granting access to the What application performance monitoring environment hosting the application? Additional Resources requirements have been defined? OWASP Guide to Building Secure Web Applications Change Management http://www.owasp.org/index.php/OWASP_Guide... What application security monitoring requirements How are changes to the code controlled? have been defined? ISO 27002 Standard: Code of Practice How are changes to the infrastructure controlled? http://www.iso.org/iso/catalogue... What application error handling and logging requirements have been defined? How is code deployed to production? BITS Standards for Vendor Assessments What mechanisms exist to detect violations of http://www.sharedassessments.org/download... How are audit and debug logs accessed, stored, and secured? change management practices? Guidance for Critical Areas ... in Cloud Computing Software Development http://www.cloudsecurityalliance.org/guidance... Application Design What application design review practices have been What data is available to developers for testing? Payment Card Industry (PCI) Data Security Standard defined and executed? How do developers assist with troubleshooting and https://www.pcisecuritystandards.org/security... How is intermediate or in‐process data stored in the debugging the application? How to Write an Information Security Policy application components’ memory and in cache? http://www.csoonline.com/article/print/495017 What requirements have been defined for How many logical tiers group the application's controlling access to the applications source code? IT Infrastructure Threat Modeling Guide components? http://www.microsoft.com/downloads...
Authored by Lenny Zeltser, who leads the security consulting practice at Savvis and teaches at SANS Institute. You can find him on Twitter. Special thanks to Slava Frid for feedback. Page 2 of 2.
Creative Commons v3 “Attribution” License for this cheat sheet version 1.1. See Lenny’s other cheat sheets.