This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Security Architecture Cheat Sheet"
From OWASP
m |
m |
||
| Line 1: | Line 1: | ||
| + | Authored by [Lenny Zeltser http://www.zeltser.com/]<br/> | ||
| + | original version [http://www.zeltser.com/security-management/security-architecture-cheat-sheet.pdf http://www.zeltser.com/security-management/security-architecture-cheat-sheet.pdf]<br/> | ||
| + | |||
<b>SECURITY ARCHITECTURE CHEAT SHEET FOR INTERNET APPLICATIONS</b><br/> | <b>SECURITY ARCHITECTURE CHEAT SHEET FOR INTERNET APPLICATIONS</b><br/> | ||
This cheat sheet offers tips for the initial design and review of an application’s security architecture.<br/> | This cheat sheet offers tips for the initial design and review of an application’s security architecture.<br/> | ||
| Line 33: | Line 36: | ||
: What security‐related regulations apply? | : What security‐related regulations apply? | ||
: What auditing and compliance regulations apply? | : What auditing and compliance regulations apply? | ||
| − | * #2: | + | * #2: INFRASTRUCTURE REQUIREMENTS |
; Network | ; Network | ||
: What details regarding routing, switching, firewalling, and load‐balancing have been defined? | : What details regarding routing, switching, firewalling, and load‐balancing have been defined? | ||
| Line 40: | Line 43: | ||
: What network performance requirements exist? | : What network performance requirements exist? | ||
: What private and public network links support the application? | : What private and public network links support the application? | ||
| − | |||
;Systems | ;Systems | ||
: What operating systems support the application? | : What operating systems support the application? | ||
: What hardware requirements have been defined? | : What hardware requirements have been defined? | ||
: What details regarding required OS components and lock‐down needs have been defined? | : What details regarding required OS components and lock‐down needs have been defined? | ||
| − | ;Infrastructure Monitoring | + | ; Infrastructure Monitoring |
: What network and system performance monitoring requirements have been defined? | : What network and system performance monitoring requirements have been defined? | ||
: What mechanisms exist to detect malicious code or compromised application components? | : What mechanisms exist to detect malicious code or compromised application components? | ||
: What network and system security monitoring requirements have been defined? | : What network and system security monitoring requirements have been defined? | ||
| − | ;Virtualization and Externalization | + | ; Virtualization and Externalization |
: What aspects of the application lend themselves to virtualization? | : What aspects of the application lend themselves to virtualization? | ||
: What virtualization requirements have been defined for the application? | : What virtualization requirements have been defined for the application? | ||
Revision as of 03:12, 20 June 2009
Authored by [Lenny Zeltser http://www.zeltser.com/]
original version http://www.zeltser.com/security-management/security-architecture-cheat-sheet.pdf
SECURITY ARCHITECTURE CHEAT SHEET FOR INTERNET APPLICATIONS
This cheat sheet offers tips for the initial design and review of an application’s security architecture.
- #1: BUSINESS REQUIREMENTS
- Business Model
- What is the application’s primary business purpose?
- How will the application make money?
- What are the planned business milestones for developing or improving the application?
- How is the application marketed?
- What key benefits does application offer its users?
- What business continuity provisions have been defined for the application?
- What geographic areas does the application service?
- Data Essentials
- What data does the application receive, produce, and process?
- How can the data be classified into categories according to its sensitivity?
- How might an attacker benefit from capturing or modifying the data?
- What data backup and retention requirements have been defined for the application?
- End‐Users
- Who are the application’s end‐users?
- How do the end‐users interact with the application?
- What security expectations do the end‐users have?
- Partners
- Which third‐parties supply data to the application?
- Which third‐parties receive data from the applications?
- Which third‐parties process the application’s data?
- What mechanisms are used to share data with third‐parties besides the application itself?
- What security requirements do the partners impose?
- Administrators
- Who has administrative capabilities in the application?
- What administrative capabilities does the application offer?
- Regulations
- In what industries does the application operate?
- What security‐related regulations apply?
- What auditing and compliance regulations apply?
- #2: INFRASTRUCTURE REQUIREMENTS
- Network
- What details regarding routing, switching, firewalling, and load‐balancing have been defined?
- What network design supports the application?
- What core network devices support the application?
- What network performance requirements exist?
- What private and public network links support the application?
- Systems
- What operating systems support the application?
- What hardware requirements have been defined?
- What details regarding required OS components and lock‐down needs have been defined?
- Infrastructure Monitoring
- What network and system performance monitoring requirements have been defined?
- What mechanisms exist to detect malicious code or compromised application components?
- What network and system security monitoring requirements have been defined?
- Virtualization and Externalization
- What aspects of the application lend themselves to virtualization?
- What virtualization requirements have been defined for the application?
- What aspects of the product may or may not be hosted via the cloud computing model?
- #3: APPLICATION REQUIREMENTS
- Environment
- What frameworks and programming languages have been used to create the application?
- What process, code, or infrastructure dependencies have been defined for the application?
- What databases and application servers support the application?
- Data Processing
- What data entry paths does the application support?
- What data output paths does the application support?
- How does data flow across the application’s internal components?
- What data input validation requirements have been defined?
- What data does the application store and how?
- What data is or may need to be encrypted and what key management requirements have been defined?
- What capabilities exist to detect the leakage of sensitive data?
- What encryption requirements have been defined for data in transit over WAN and LAN links?
