Application Security

Design according to SAMM – Secure Architecture in Application Security

“The security architecture practice focuses on managing architectural risks for the software solution.” Before we talk about secure architecture, we need to review one of the most important concepts. After all, what is Software Architecture?

You can also listen to this article:

If we search for this term on the web, it’s easy to find a lot of articles explaining what is Software Architecture, but we want to put this in short terms, we want to explain this simply.

Software Architecture is work with the basics of the software, it looks at the basic concepts e foundations of software construction. We need to understand what are the elements of the software, how they connect, and how they change information.

So, in simple words, Software Architecture is understanding how the software is structured, how the software is built, and how the communication of components internals and externals occurs.

Secure Software Architecture

Now we need to understand what is Secure Architecture. Building a secure application it’s not only about writing code. Building a secure application involves understanding the scenarios where this application will be inserted, and what is the risks that the application needs to be prepared for.

We talked about this in other articles, especially when we talk about Threat Modeling.

Looking at the architecture of an application it’s the same of look at a house blueprint, we need to think first about the foundation and how it can be adjusted to a series of events. An application’s the same, we need to think about the most basic components. So an application is like this, the foundations must be solid.

One of the first points of attention is how this application is documented, it’s not possible to review a secure architecture without documentation. This documentation can be like a high-level diagram, showing how the components exchange information with each other, and what is the data exchanged.

Remember, at the end of the day, what we want to protect is the data, so it makes perfect sense for you to understand the flow of that data within your application.

Let’s understand how OWASP SAMM sees the software architecture and how it can help us improve our model.

Two streams of action

As we have already said and reinforced by SAMM, the software architect looks at the set of components that were selected to compose the foundation of the application, but with a more security eye. And like any area of SAMM, it brings us 2 streams of action.

The first flow shows us the need to focus on architectural design and shows us that this aspect can have a very big impact on the software security posture, as well as the best design practices that can influence the application in general.

The second flow deals more directly with the management of the technology involved in building the application. Looking at the technology and frameworks that are used in this construction process is important and together with the other aspects of the software, they will deliver security.

Following with the understanding of a secure design process of an application, we need to understand that there are several points to be understood and addressed, as we said before, architecture deals with the fundamentals of construction

Therefore, one of the most basic points when looking at secure architecture in SAMM is to know if there is a concern with security in the early stages of building an application.

We often think of processes and activities that are very complex and difficult to measure, but the most basic stages of secure architecture really start with the basics, such as understanding if the development team has the knowledge that allows them to understand and help with construction. application security.

If this team does not have this knowledge, we need to build this knowledge. Here we can make a direct link to what the SAMM Education and Guides area brings us.

Likewise, do we have defined standards for the adoption of security components, do we validate these components? These are important points and should be on any software architect’s list.

If we look at a more mature form of a process, we must also ask ourselves how we control the application-building process and how we validate the use of security components.

Still, we can look more closely and understand if what we’ve already done about architecture evolves, and if it’s revised. We cannot understand that once the architecture has been created, it should no longer be looked at or even evaluated.

Facing changes

Software changes, the scenarios to which this application is inserted change and we need to reassess how the architecture, which now serves as a reference, behaves within these new changes.

In general, what we can learn in this short article is that looking at the architecture of an application is looking at its most basic components, it is understanding how it works and the scenarios in which it will be inserted. With that in mind, security thinking arises and flows in a more practical way because we now have the necessary knowledge to seek to deliver a more secure application.

I hope it somehow helped to bring you the importance of looking at software architecture in a different way, focusing more on your application’s security issues.

Nova call to action

SAMM article series

  1. Governance according to SAMM: Strategy and Metrics in Application Security
  2. Governance according to SAMM: Policies and Conformities in Application Security
  3. Governance According to SAMM: Application Security Education and Guidance
  4. Design according to SAMM: Threat Modeling in Application Security
  5. Design According to SAMM: Security Requirements in AppSec
  6. Design according to SAMM – Secure Architecture in Application Security
  7. Implementation according to SAMM: Secure Build in Application Security
  8. Implementation according to SAMM: Secure Deployment in Application Security
  9. Implementation According to SAMM: Defect Management in AppSec
  10. Verification according to SAMM: Application Security Architecture Analysis
  11. Verification according to SAMM: Requirements-Driven Testing in Application Security
  12. Verification according to SAMM: Security Tests in Application Security
  13. Operations according to SAMM: Application Security Incident Management
  14. Operations according to SAMM: Environment Management and Application Security
  15. Operations according to SAMM: Operational Management in Application Security
About author


Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Finding classes for exploiting Unsafe Reflection / Unchecked Class Instantiation vulnerabilities in Java with Joern

During a pentest engagement we found a Java application vulnerable to unsafe reflection [1]. This…
Read more
Application Security

Mitigating Vulnerabilities: Elevating Security Proficiency in Software Development

In the ever-evolving digital landscape, the significance of software security cannot be overstated.
Read more
Application Security

The Importance of Supply Chain to Application Security

When we think about software development, we usually think about complex technical concepts…
Read more

Deixe um comentário