Application Security

Design according to SAMM – Secure Architecture in Application Security

“The security architecture practice focuses on managing architectural risks for the software solution.” Before we talk about secure architecture, we need to review one of the most important concepts. After all, what is Software Architecture?

If we search for this term on the web, it’s easy to find a lot of articles explaining what is Software Architecture, but we want to put this in short terms, we want to explain this simply.

Software Architecture is work with the basics of the software, it looks at the basic concepts e foundations of software construction. We need to understand what are the elements of the software, how they connect, and how they change information.

So, in simple words, Software Architecture is understanding how the software is structured, how the software is built, and how the communication of components internals and externals occurs.

Secure Software Architecture

Now we need to understand what is Secure Architecture. Building a secure application it’s not only about writing code. Building a secure application involves understanding the scenarios where this application will be inserted, and what is the risks that the application needs to be prepared for.

We talked about this in other articles, especially when we talk about Threat Modeling.

Looking at the architecture of an application it’s the same of look at a house blueprint, we need to think first about the foundation and how it can be adjusted to a series of events. An application’s the same, we need to think about the most basic components. So an application is like this, the foundations must be solid.

One of the first points of attention is how this application is documented, it’s not possible to review a secure architecture without documentation. This documentation can be like a high-level diagram, showing how the components exchange information with each other, and what is the data exchanged.

Remember, at the end of the day, what we want to protect is the data, so it makes perfect sense for you to understand the flow of that data within your application.

Let’s understand how OWASP SAMM sees the software architecture and how it can help us improve our model.

Two streams of action

As we have already said and reinforced by SAMM, the software architect looks at the set of components that were selected to compose the foundation of the application, but with a more security eye. And like any area of SAMM, it brings us 2 streams of action.

The first flow shows us the need to focus on architectural design and shows us that this aspect can have a very big impact on the software security posture, as well as the best design practices that can influence the application in general.

The second flow deals more directly with the management of the technology involved in building the application. Looking at the technology and frameworks that are used in this construction process is important and together with the other aspects of the software, they will deliver security.

Following with the understanding of a secure design process of an application, we need to understand that there are several points to be understood and addressed, as we said before, architecture deals with the fundamentals of construction

Therefore, one of the most basic points when looking at secure architecture in SAMM is to know if there is a concern with security in the early stages of building an application.

We often think of processes and activities that are very complex and difficult to measure, but the most basic stages of secure architecture really start with the basics, such as understanding if the development team has the knowledge that allows them to understand and help with construction. application security.

If this team does not have this knowledge, we need to build this knowledge. Here we can make a direct link to what the SAMM Education and Guides area brings us.

Likewise, do we have defined standards for the adoption of security components, do we validate these components? These are important points and should be on any software architect’s list.

If we look at a more mature form of a process, we must also ask ourselves how we control the application-building process and how we validate the use of security components.

Still, we can look more closely and understand if what we’ve already done about architecture evolves, and if it’s revised. We cannot understand that once the architecture has been created, it should no longer be looked at or even evaluated.

Facing changes

Software changes, the scenarios to which this application is inserted change and we need to reassess how the architecture, which now serves as a reference, behaves within these new changes.

In general, what we can learn in this short article is that looking at the architecture of an application is looking at its most basic components, it is understanding how it works and the scenarios in which it will be inserted. With that in mind, security thinking arises and flows in a more practical way because we now have the necessary knowledge to seek to deliver a more secure application.

I hope it somehow helped to bring you the importance of looking at software architecture in a different way, focusing more on your application’s security issues.

Nova call to action
About author

Articles

Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Operations according to SAMM: Operational Management in Application Security

In this article, we will continue the series of publications on the OWASP SAMM (Software Assurance…
Read more
Application Security

An Application Security Program: AppSec Journey

First and foremost, Application Security (AppSec) must be integrated into every step of the…
Read more
Application Security

Operations according to SAMM: Environment Management and Application Security

This article is part of a series of publications based on the OWASP SAMM project, if you are…
Read more

Deixe um comentário