This blog post will go over some pointers for the initial design and assessment of the security architecture of a complicated Internet application, including the below:
- Business Requirements
- Infrastructure Requirements
- Application Requirements
- Security Program Requirements
Business Requirements
Business Plan
What is the main corporate objective of the application?
How will the app generate revenue?
What business milestones are anticipated for creating or enhancing the application?
How is the software promoted?
What main advantages does the application provide users?
What application-specific business continuity provisions exist?
What regions of the world does the application support?
Data Fundamentals
What data is received, created, and processed by the application?
How may the data be divided into groups based on how sensitive they are?
What advantages could an adversary get by stealing or altering the data?
What criteria for data backup and storage have been established for the application?
End-Users
Who are the end users of the application?
How do users of the program interact with it?
What security goals do end users have in mind?
Partners
Which third parties provide the application with data?
Who receives data from the applications’ third parties?
Who processes the data from the application?
What methods, other the program itself, are employed to share data with outside parties?
Which security demands are made by the partners?
Administrators
Who has access to the application’s administrative features?
What administrative features does the program provide?
Regulations
What sectors does the application work in?
What laws pertaining to security are applicable?
What laws governing audits and compliance are relevant?
Infrastructure Requirements
Network
What specifics of load-balancing, firewalling, switching, and routing have been defined?
What type of network architecture supports the application?
What fundamental network components underpin the application?
What standards for network performance exist?
What public and private network connections do the application support?
Systems
What platforms are supported by the application?
What hardware specifications have been established?
What specifics about necessary OS components and lock-down requirements have been established?
Infrastructure Monitoring
What network and system performance monitoring requirements have been established for infrastructure monitoring?
What tools are available to identify malicious software or infected application components?
What requirements for network and system security monitoring exist?
Externalization and Virtualization
What features of the program are virtualization-friendly?
What application-specific virtualization needs exist?
What elements of the product could possibly or possibly not be hosted using a cloud computing model?
Application Requirements
Environment
What coding languages and frameworks were utilized to construct the application?
What requirements in terms of code, processes, or infrastructure exist for the application?
What application servers and databases the application is supported by?
Processing of Data
What methods of data entry does the application accept?
Does the program support any specific data output routes?
How does data go between the internal parts of the application?
What specifications for data input validation have been established?
What information is stored by the application, and how?
What information needs to be encrypted and what key management specifications are there?
What tools are available to spot the loss of private information?
What encryption standards are applicable to data traveling over WAN and LAN links?
Access
What levels of user access does the application support?
What specifications for user identification and authentication exist?
What specifications for user authorization exist?
What standards for session management have been established?
What URI and Service calls have defined access requirements?
What limitations on user access have been established?
How are user IDs kept consistent between calls for a transaction?
Application Inspection
What standards for application auditing exist?
What specifications for monitoring application performance exist?
What specifications for application security monitoring exist?
What guidelines have been established for application error handling and logging?
How are access, storage, and security for audit and debug logs handled?
Application Development
What defined and put into effect application design review procedures?
How is intermediate or in-process data kept in the cache and memory of the application components?
How many logical levels are used to organize the application’s parts?
What requirements for staging, testing, and quality assurance have been established?
Security Program Requirements
Operations
What procedure is used to find and fix application vulnerabilities?
What procedure is used to find and fix vulnerabilities in network and system components?
How much access to the application’s sensitive data do system and network administrators have?
What specifications for security incidents have been established?
How are administrators able to control production infrastructure?
What physical barriers prevent users from accessing the data and components of the application?
How is access to the environment where the application is hosted granted?
Change Administration
How are modifications to the code regulated?
How are infrastructure modifications managed?
How is software put into use?
What tools are available to spot infringements of change management standards?
Application Development
What testing data are available to developers?
How do developers help with application troubleshooting and debugging?
What specifications exist for restricting access to the application’s source code?
What safe coding techniques have been developed?
Corporate
What specifications for the business security program have been established?
What security training do administrators and developers receive?
Whose team is in charge of the application’s security procedures and requirements?
What methods of hiring and firing employees have been established?
What usage conditions make it necessary to uphold the principle of duty separation?
What safeguards are in place to prevent production from being impacted by a compromised corporate environment?
What standards for security governance have been established?
How Can ITM Help You?
IT Minister covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated manage Threat Intelligence, Forensic Investigations, Mobile Device Management, Cloud security best practice, Enterprise Network & Security Architecture, Application Security Testing and Cyber Security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.