Performance, scalability, and usability are some of the factors that development teams typically take into consideration when planning the architecture of a software system. However, another important but often overlooked aspect is security in software architecture.
In this article, we’ll explore why it is essential to consider security when considering software architecture.
Ralph Johnson, a renowned author in the field of software architecture, offers several definitions of architecture. One of his definitions characterizes it as “the decisions you wish you could get right early in a project. “ This emphasizes the importance of making the right decisions early on in the software design process, as these choices can have a significant impact on the project’s overall success. Johnson’s vision highlights the importance of thoroughly and deliberately planning to ensure that the architecture of a software system is sound from the start.
Another of Johnson’s definitions of architecture emphasizes the need to focus on the critical aspects of a system. He states, “Architecture is about the important stuff. Whatever that is”. This highlights the importance of identifying the most significant elements of a software system and prioritizing them accordingly. By doing that, development teams can ensure that their software meets the essential security and quality needs of both users and stakeholders. This definition also brings attention to the seriousness of taking a strategic and deliberate approach to software architecture, focusing on the most vital aspects of a system to achieve the best possible outcomes.
Martin Fowler, another prominent voice in the software architecture field, echoes Ralph Johnson’s views and adds that “the heart of thinking architecturally about software is to decide what is important, and then expend energy on keeping those architectural elements in good condition“. Fowler maintains that focusing on what truly matters sets good architecture apart from poor and mediocre ones. This further reinforces the idea that a successful software architecture prioritizes the critical aspects of a system and takes deliberate steps to ensure its protection and longevity.
Security in Software Architecture
Considering security as a primary aspect during the software design phase is crucial. As we have seen earlier, making important decisions at the beginning of the architecture design process is key to ensuring the project’s sustainable growth.
Identifying and addressing potential security risks during this early stage can prevent attacks that could damage the business.
This perspective is particularly significant within the Application Security (AppSec) field. Activities like Attack Surface Analysis and Threat Modeling demonstrate this in practice, by improving architecture security through a structured approach to risk identification and mitigation during the application design phase.
OWASP, through its Software Assurance Maturity Model (SAMM), reinforces this perspective, sharing the vision of Martin Fowler and Ralph Johnson and emphasizing the importance of including security from the beginning of a software project, rather than treating it as an afterthought.
Finally, it is essential to note that development teams should not only consider the security of their architecture during the system design phase, but also consider such issues as the project grows. This will be an ongoing effort, and the architecture will need to be regularly reviewed and updated to ensure its security and overall health.