|
|
| (13 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| − | Authored by [http://www.zeltser.com Lenny Zeltser]<br/>
| + | Moved to [[Application Security Architecture Cheat Sheet]]. |
| − | original version [http://www.zeltser.com/security-management/security-architecture-cheat-sheet.pdf http://www.zeltser.com/security-management/security-architecture-cheat-sheet.pdf]<br/>
| |
| − | | |
| − | <b>SECURITY ARCHITECTURE CHEAT SHEET FOR INTERNET APPLICATIONS</b><br/>
| |
| − | This cheat sheet offers tips for the initial design and review of an application’s security architecture.<br/>
| |
| − | | |
| − | * #1: BUSINESS REQUIREMENTS
| |
| − | ; Business Model
| |
| − | : What is the application’s primary business purpose?
| |
| − | : How will the application make money?
| |
| − | : What are the planned business milestones for developing or improving the application?
| |
| − | : How is the application marketed?
| |
| − | : What key benefits does application offer its users?
| |
| − | : What business continuity provisions have been defined for the application?
| |
| − | : What geographic areas does the application service?
| |
| − | ; Data Essentials
| |
| − | : What data does the application receive, produce, and process?
| |
| − | : How can the data be classified into categories according to its sensitivity?
| |
| − | : How might an attacker benefit from capturing or modifying the data?
| |
| − | : What data backup and retention requirements have been defined for the application?
| |
| − | ; End‐Users
| |
| − | : Who are the application’s end‐users?
| |
| − | : How do the end‐users interact with the application?
| |
| − | : What security expectations do the end‐users have?
| |
| − | ; Partners
| |
| − | : Which third‐parties supply data to the application?
| |
| − | : Which third‐parties receive data from the applications?
| |
| − | : Which third‐parties process the application’s data?
| |
| − | : What mechanisms are used to share data with third‐parties besides the application itself?
| |
| − | : What security requirements do the partners impose?
| |
| − | ; Administrators
| |
| − | : Who has administrative capabilities in the application?
| |
| − | : What administrative capabilities does the application offer?
| |
| − | ; Regulations
| |
| − | : In what industries does the application operate?
| |
| − | : What security‐related regulations apply?
| |
| − | : What auditing and compliance regulations apply?
| |
| − | * #2: INFRASTRUCTURE REQUIREMENTS
| |
| − | ; Network
| |
| − | : What details regarding routing, switching, firewalling, and load‐balancing have been defined?
| |
| − | : What network design supports the application?
| |
| − | : What core network devices support the application?
| |
| − | : What network performance requirements exist?
| |
| − | : What private and public network links support the application?
| |
| − | ;Systems
| |
| − | : What operating systems support the application?
| |
| − | : What hardware requirements have been defined?
| |
| − | : What details regarding required OS components and lock‐down needs have been defined?
| |
| − | ; Infrastructure Monitoring
| |
| − | : What network and system performance monitoring requirements have been defined?
| |
| − | : What mechanisms exist to detect malicious code or compromised application components?
| |
| − | : What network and system security monitoring requirements have been defined?
| |
| − | ; Virtualization and Externalization
| |
| − | : What aspects of the application lend themselves to virtualization?
| |
| − | : What virtualization requirements have been defined for the application?
| |
| − | : What aspects of the product may or may not be hosted via the cloud computing model?
| |
| − | * #3: APPLICATION REQUIREMENTS
| |
| − | ; Environment
| |
| − | : What frameworks and programming languages have been used to create the application?
| |
| − | : What process, code, or infrastructure dependencies have been defined for the application?
| |
| − | : What databases and application servers support the application?
| |
| − | ; Data Processing
| |
| − | : What data entry paths does the application support?
| |
| − | : What data output paths does the application support?
| |
| − | : How does data flow across the application’s internal components?
| |
| − | : What data input validation requirements have been defined?
| |
| − | : What data does the application store and how?
| |
| − | : What data is or may need to be encrypted and what key management requirements have been defined?
| |
| − | : What capabilities exist to detect the leakage of sensitive data?
| |
| − | : What encryption requirements have been defined for data in transit over WAN and LAN links?
| |
