Application Security

Security at the early stages of the Software Architecture: the Developer’s role

Security is a relevant attribute for quality within a software architecture context. Therefore, it should be a priority. But what are the challenges involved in this process? And what are the tools and references that can help? 

Itaú Unibanco’s Security Engineer and Cyber Defense Specialist, Erick Belluci Tedeschi, and our CEO, Wagner Elias, covered these and other topics during a Conviso webinar. The online and free event took place in November 2022. Throughout the meeting, Erick and Wagner addressed architecture as one of the developers’ responsibilities. “Devs need to learn about architecture”, stated Wagner. “It is common for those with a background in development to associate security strictly with software, but it is important to emphasize that the architecture is part of it as well, ” he added. They also addressed the importance of documentation in architecture, which developers still often neglect.

Who is responsible for security architecture? 

According to the experts, a market challenge is to deal with the false myth that architecture is not the responsibility of programmers. Wagner also quoted the concept of software architecture according to one of the greatest authors on the subject, Martin Fowler, who states that architecture is the exchange of knowledge of all the components that make up software.

Erick also commented on new ways of approaching the topic within companies. “Architecture is normally the responsibility of more than one area, not just the security team, and that is why today many companies even have a Foundation team, who will make the skeleton, design the target or reference architecture so that others teams can follow. This should come before any line of code”, remarked Erick. 

The importance of threat modeling 

Erick and Wagner also reinforced the importance of threat modeling. “All of the decisions involved in making architectures more resilient and secure are based on risk analysis, which is why threat modeling is fundamental”, explained the Conviso CEO. Erick also added that it helps to give visibility to the team. “It’s an important step, and it’s essential that all the team members are aware of it for a better understanding, and to be able to map threats and rank them”, he explained.

At the end of the webinar, Erick gave tips for those who want to learn more about the subject: listening to podcasts, searching lectures on YouTube, participating in events, and always seeking to improve. “One of the things I always ask candidates for a job at the company is how they usually update their knowledge, as that’s an essential trait”.

Nova call to action
About author

Articles

Communication Analyst at Conviso. With a degree in Journalism, she has 10 years of experience as a content strategist, as well as as a content editor.
Related posts
Application Security

Operations according to SAMM: Operational Management in Application Security

In this article, we will continue the series of publications on the OWASP SAMM (Software Assurance…
Read more
Application Security

An Application Security Program: AppSec Journey

First and foremost, Application Security (AppSec) must be integrated into every step of the…
Read more
Application Security

Operations according to SAMM: Environment Management and Application Security

This article is part of a series of publications based on the OWASP SAMM project, if you are…
Read more

Deixe um comentário