At a Glance: Security Inspections

From Guidance Share

Revision as of 06:36, 6 March 2007; Admin (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
Jump to: navigation, search

Security Design Inspections

The security design inspection process analyzes application architecture and design from a security perspective. Use this activity to expose the high-risk design decisions that have been made. Do not rely solely on the use of design documentation as some design decisions will not be explicit but will have to be discovered through dialog and exploration. Use a combination of design documents, architecture experts and discussion to achieve the best results. The goal of the review is to decompose your application and identify key items, including trust boundaries, data flow, entry points, and privileged code. You must also keep in mind the physical deployment configuration of your application.

image:SecurityDesignInspection.gif

There are three important aspects to conducting a security design inspection:

  • You evaluate your application architecture in relation to its target deployment environment and infrastructure.
  • You review your design choices in each of the key vulnerability categories defined by a security frame.
  • Finally, you conduct a tier-by-tier component analysis and examine the security mechanisms employed by your key components, such as your presentation layer, business layer, and data access layer.


Security Code Inspections

Security code inspection is an effective mechanism for uncovering security issues before testing or deployment begins. Performing code inspections help you reduce the number of implementation errors in an application before it is deployed to a test team or to a customer. While design issues are the most expensive to fix, implementation issues are the most common.


Security Deployment Inspections

Application security is dependent upon the security of the underlying infrastructure on which the application is deployed. The deployment review, depending upon your application, will cover configuration of both the network and the host. When you review your security deployment, you can organize the precautions you must take and the settings you must configure into categories. By using these configuration categories, you can systematically review the entire application, or pick a particular category and complete specific steps.


Example: Server Configuration Categories

image:ServerConfigurationCategories.gif

Personal tools