Security is a relevant attribute for quality within a software architecture context. Therefore, it should be a priority. But what are the challenges involved in this process? And what are the tools and references that can help?
Itaú Unibanco’s Security Engineer and Cyber Defense Specialist, Erick Belluci Tedeschi, and our CEO, Wagner Elias, covered these and other topics during a Conviso webinar. The online and free event took place in November 2022. Throughout the meeting, Erick and Wagner addressed architecture as one of the developers’ responsibilities. “Devs need to learn about architecture”, stated Wagner. “It is common for those with a background in development to associate security strictly with software, but it is important to emphasize that the architecture is part of it as well, ” he added. They also addressed the importance of documentation in architecture, which developers still often neglect.
Who is responsible for security architecture?
According to the experts, a market challenge is to deal with the false myth that architecture is not the responsibility of programmers. Wagner also quoted the concept of software architecture according to one of the greatest authors on the subject, Martin Fowler, who states that architecture is the exchange of knowledge of all the components that make up software.
Erick also commented on new ways of approaching the topic within companies. “Architecture is normally the responsibility of more than one area, not just the security team, and that is why today many companies even have a Foundation team, who will make the skeleton, design the target or reference architecture so that others teams can follow. This should come before any line of code”, remarked Erick.
The importance of threat modeling
Erick and Wagner also reinforced the importance of threat modeling. “All of the decisions involved in making architectures more resilient and secure are based on risk analysis, which is why threat modeling is fundamental”, explained the Conviso CEO. Erick also added that it helps to give visibility to the team. “It’s an important step, and it’s essential that all the team members are aware of it for a better understanding, and to be able to map threats and rank them”, he explained.
At the end of the webinar, Erick gave tips for those who want to learn more about the subject: listening to podcasts, searching lectures on YouTube, participating in events, and always seeking to improve. “One of the things I always ask candidates for a job at the company is how they usually update their knowledge, as that’s an essential trait”.