This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Security Architecture Cheat Sheet"
From OWASP
m |
m |
||
| Line 12: | Line 12: | ||
: What geographic areas does the application service? | : What geographic areas does the application service? | ||
; Data Essentials | ; Data Essentials | ||
| − | What data does the application receive, produce, and process? | + | ; What data does the application receive, produce, and process? |
| − | How can the data be classified into categories according to its sensitivity? | + | : How can the data be classified into categories according to its sensitivity? |
| − | How might an attacker benefit from capturing or modifying the data? | + | : How might an attacker benefit from capturing or modifying the data? |
| − | What data backup and retention requirements have been defined for the application? | + | : What data backup and retention requirements have been defined for the application? |
; End‐Users | ; End‐Users | ||
| − | Who are the application’s end‐users? | + | : Who are the application’s end‐users? |
| − | How do the end‐users interact with the application? | + | : How do the end‐users interact with the application? |
| − | What security expectations do the end‐users have? | + | : What security expectations do the end‐users have? |
; Partners | ; Partners | ||
| − | Which third‐parties supply data to the application? | + | : Which third‐parties supply data to the application? |
| − | Which third‐parties receive data from the applications? | + | : Which third‐parties receive data from the applications? |
| − | Which third‐parties process the application’s data? | + | : Which third‐parties process the application’s data? |
| − | What mechanisms are used to share data with third‐parties besides the application itself? | + | : What mechanisms are used to share data with third‐parties besides the application itself? |
| − | What security requirements do the partners impose? | + | : What security requirements do the partners impose? |
; Administrators | ; Administrators | ||
| − | Who has administrative capabilities in the application? | + | : Who has administrative capabilities in the application? |
| − | What administrative capabilities does the application offer? | + | : What administrative capabilities does the application offer? |
; Regulations | ; Regulations | ||
| − | In what industries does the application operate? | + | : In what industries does the application operate? |
| − | What security‐related regulations apply? | + | : What security‐related regulations apply? |
| − | What auditing and compliance regulations apply? | + | : What auditing and compliance regulations apply? |
| − | |||
* #2: INRASTRUCTURE REQUIREMENTS | * #2: INRASTRUCTURE REQUIREMENTS | ||
; Network | ; Network | ||
| − | What details regarding routing, switching, firewalling, and load‐balancing have been defined? | + | : What details regarding routing, switching, firewalling, and load‐balancing have been defined? |
| − | What network design supports the application? | + | : What network design supports the application? |
| − | What core network devices support the application? | + | : What core network devices support the application? |
| − | What network performance requirements exist? | + | : What network performance requirements exist? |
| − | What private and public network links support the application? | + | : What private and public network links support the application? |
| − | Authored by [Lenny Zeltser http://www.zeltser.com/] | + | : Authored by [Lenny Zeltser http://www.zeltser.com/] |
;Systems | ;Systems | ||
| − | What operating systems support the application? | + | : What operating systems support the application? |
| − | What hardware requirements have been defined? | + | : What hardware requirements have been defined? |
| − | What details regarding required OS components and lock‐down needs have been defined? | + | : What details regarding required OS components and lock‐down needs have been defined? |
;Infrastructure Monitoring | ;Infrastructure Monitoring | ||
What network and system performance monitoring requirements have been defined? | What network and system performance monitoring requirements have been defined? | ||
| Line 51: | Line 50: | ||
What network and system security monitoring requirements have been defined? | What network and system security monitoring requirements have been defined? | ||
;Virtualization and Externalization | ;Virtualization and Externalization | ||
| − | What aspects of the application lend themselves to virtualization? | + | : What aspects of the application lend themselves to virtualization? |
| − | What virtualization requirements have been defined for the application? | + | : What virtualization requirements have been defined for the application? |
| − | What aspects of the product may or may not be hosted via the cloud computing model? | + | : What aspects of the product may or may not be hosted via the cloud computing model? |
* #3: APPLICATION REQUIREMENTS | * #3: APPLICATION REQUIREMENTS | ||
; Environment | ; Environment | ||
| − | What frameworks and programming languages have been used to create the application? | + | : What frameworks and programming languages have been used to create the application? |
| − | What process, code, or infrastructure dependencies have been defined for the application? | + | : What process, code, or infrastructure dependencies have been defined for the application? |
| − | What databases and application servers support the application? | + | : What databases and application servers support the application? |
; Data Processing | ; Data Processing | ||
| − | What data entry paths does the application support? | + | : What data entry paths does the application support? |
| − | What data output paths does the application support? | + | : What data output paths does the application support? |
| − | How does data flow across the application’s internal components? | + | : How does data flow across the application’s internal components? |
| − | What data input validation requirements have been defined? | + | : What data input validation requirements have been defined? |
| − | What data does the application store and how? | + | : What data does the application store and how? |
| − | What data is or may need to be encrypted and what key management requirements have been defined? | + | : What data is or may need to be encrypted and what key management requirements have been defined? |
| − | What capabilities exist to detect the leakage of sensitive data? | + | : What capabilities exist to detect the leakage of sensitive data? |
| − | What encryption requirements have been defined for data in transit over WAN and LAN links? | + | : What encryption requirements have been defined for data in transit over WAN and LAN links? |
Revision as of 03:11, 20 June 2009
SECURITY ARCHITECTURE CHEAT SHEET FOR INTERNET APPLICATIONS
This cheat sheet offers tips for the initial design and review of an application’s security architecture.
- #1: BUSINESS REQUIREMENTS
- Business Model
- What is the application’s primary business purpose?
- How will the application make money?
- What are the planned business milestones for developing or improving the application?
- How is the application marketed?
- What key benefits does application offer its users?
- What business continuity provisions have been defined for the application?
- What geographic areas does the application service?
- Data Essentials
- What data does the application receive, produce, and process?
- How can the data be classified into categories according to its sensitivity?
- How might an attacker benefit from capturing or modifying the data?
- What data backup and retention requirements have been defined for the application?
- End‐Users
- Who are the application’s end‐users?
- How do the end‐users interact with the application?
- What security expectations do the end‐users have?
- Partners
- Which third‐parties supply data to the application?
- Which third‐parties receive data from the applications?
- Which third‐parties process the application’s data?
- What mechanisms are used to share data with third‐parties besides the application itself?
- What security requirements do the partners impose?
- Administrators
- Who has administrative capabilities in the application?
- What administrative capabilities does the application offer?
- Regulations
- In what industries does the application operate?
- What security‐related regulations apply?
- What auditing and compliance regulations apply?
- #2: INRASTRUCTURE REQUIREMENTS
- Network
- What details regarding routing, switching, firewalling, and load‐balancing have been defined?
- What network design supports the application?
- What core network devices support the application?
- What network performance requirements exist?
- What private and public network links support the application?
- Authored by [Lenny Zeltser http://www.zeltser.com/]
- Systems
- What operating systems support the application?
- What hardware requirements have been defined?
- What details regarding required OS components and lock‐down needs have been defined?
- Infrastructure Monitoring
What network and system performance monitoring requirements have been defined? What mechanisms exist to detect malicious code or compromised application components? What network and system security monitoring requirements have been defined?
- Virtualization and Externalization
- What aspects of the application lend themselves to virtualization?
- What virtualization requirements have been defined for the application?
- What aspects of the product may or may not be hosted via the cloud computing model?
- #3: APPLICATION REQUIREMENTS
- Environment
- What frameworks and programming languages have been used to create the application?
- What process, code, or infrastructure dependencies have been defined for the application?
- What databases and application servers support the application?
- Data Processing
- What data entry paths does the application support?
- What data output paths does the application support?
- How does data flow across the application’s internal components?
- What data input validation requirements have been defined?
- What data does the application store and how?
- What data is or may need to be encrypted and what key management requirements have been defined?
- What capabilities exist to detect the leakage of sensitive data?
- What encryption requirements have been defined for data in transit over WAN and LAN links?
