Security Review during Design and Architecture
Santhosh Kumar
Application Security and AI Expert | Helping Businesses Secure and Innovate
Performing Security review for software during design and architecture
Is it really useful? We all know and say the cost and effort of retrofitting security after development are too high. But, does security reviews during design and architecture phase really identify potential security loop holes in a software?
Let’s me explain how and what ways this can be useful
A design & architecture review helps us certify the security-related features of our application before we start the development phase.
We know this, but how can it really identify potential security vulnerabilities during the design phase?
In every architecture or design review for security, all a development team would be doing is to answer questions predefined by the security reviewer. The questions are carefully constructed to reveal the security related features in the software based on the existing vulnerabilities to any software developed.
By answering these questions and along with the supporting functional, technical documents, a security reviewer may come to a conclusion of whether the software is secure or not to the certain type of vulnerabilities.
Sample questions
Do you restrict the number of failed login attempts? – This question helps to understand if the software is protected against common dictionary attacks based on the answer.
Do you validate the inputs? – This can demonstrate what inputs the application validates and what they potentially miss. Most applications validate user inputs but miss hidden form fields, cookie values, and stored secrets. Also, validation with proper regular expression protects against common web application vulnerabilities like SQL Injection and Cross-Site Scripting
Do you develop your own cryptography? - Cryptographic algorithms are extremely difficult to develop and get it correct. Custom crypto algorithms mostly result in weak protection than the proven platform-provided services.
Conclusion
It seems true that we can improve the security of a software by spending the time & effort to analyze and review our software architecture and design. Indeed, it is much easier and less expensive to fix vulnerabilities at design time than it is later in the development cycle when substantial re-engineering might be required.