Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Security Architecture Cheat Sheet, Cheat Sheet of Architecture

Johnson C. Smith University (JCSU)Architecture

This cheat sheet offers tips for the initial design and review of an application’s security architecture.

Typology: Cheat Sheet

2019/2020

Uploaded on 11/27/2020

shahid_88c
shahid_88c 🇺🇸

4.4

(26)

261 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
SECURITYARCHITECTURECHEATSHEET
FORINTERNETAPPLICATIONS
Thischeatsheetofferstipsfortheinitialdesignand
reviewofanapplication’ssecurityarchitecture.
#1:BUSINESSREQUIREMENTS
BusinessModel
Whatistheapplication’sprimarybusinesspurpose?
Howwilltheapplicationmakemoney?
Whataretheplannedbusinessmilestonesfor
developingorimprovingtheapplication?
Howistheapplicationmarketed?
Whatkeybenefitsdoestheapplicationofferusers?
Whatbusinesscontinuityprovisionshavebeen
definedfortheapplication?
Whatgeographicareasdoestheapplicationservice?
DataEssentials
Whatdatadoestheapplicationreceive,produce,
andprocess?
Howcanthedatabeclassifiedintocategories
accordingtoitssensitivity?
Howmightanattackerbenefitfromcapturingor
modifyingthedata?
Whatdatabackupandretentionrequirementshave
beendefinedfortheapplication?
EndUsers
Whoaretheapplication’sendusers?
Howdotheendusersinteractwiththeapplication?
Whatsecurityexpectationsdotheendusershave?
Partners
Whichthirdpartiessupplydatatotheapplication?
Whichthirdpartiesreceivedatafromthe
applications?
Whichthirdpartiesprocesstheapplication’sdata?
Whatmechanismsareusedtosharedatawiththird
partiesbesidestheapplicationitself?
Whatsecurityrequirementsdothepartnersimpose?
Administrators
Whohasadministrativecapabilitiesinthe
application?
Whatadministrativecapabilitiesdoestheapplication
offer?
Regulations
Inwhatindustriesdoestheapplicationoperate?
Whatsecurityrelatedregulationsapply?
Whatauditingandcomplianceregulationsapply?
#2:INRASTRUCTUREREQUIREMENTS
Network
Whatdetailsregardingrouting,switching,
firewalling,andloadbalancinghavebeendefined?
Whatnetworkdesignsupportstheapplication?
Whatcorenetworkdevicessupporttheapplication?
Whatnetworkperformancerequirementsexist?
Whatprivateandpublicnetworklinkssupportthe
application?
Systems
Whatoperatingsystemssupporttheapplication?
Whathardwarerequirementshavebeendefined?
WhatdetailsregardingrequiredOScomponentsand
lockdownneedshavebeendefined?
InfrastructureMonitoring
Whatnetworkandsystemperformancemonitoring
requirementshavebeendefined?
Whatmechanismsexisttodetectmaliciouscodeor
compromisedapplicationcomponents?
Whatnetworkandsystemsecuritymonitoring
requirementshavebeendefined?
VirtualizationandExternalization
Whataspectsoftheapplicationlendthemselvesto
virtualization?
Whatvirtualizationrequirementshavebeendefined
fortheapplication?
Whataspectsoftheproductmayormaynotbe
hostedviathecloudcomputingmodel?
#3:APPLICATIONREQUIREMENTS
Environment
Whatframeworksandprogramminglanguageshave
beenusedtocreatetheapplication?
Whatprocess,code,orinfrastructuredependencies
havebeendefinedfortheapplication?
Whatdatabasesandapplicationserverssupportthe
application?
DataProcessing
Whatdataentrypathsdoestheapplicationsupport?
Whatdataoutputpathsdoestheapplication
support?
Howdoesdataflowacrosstheapplication’sinternal
components?
Whatdatainputvalidationrequirementshavebeen
defined?
Whatdatadoestheapplicationstoreandhow?
Whatdataisormayneedtobeencryptedandwhat
keymanagementrequirementshavebeendefined?
Whatcapabilitiesexisttodetecttheleakageof
sensitivedata?
Whatencryptionrequirementshavebeendefined
fordataintransitoverWANandLANlinks?
AuthoredbyLennyZeltser,wholeadsthesecurityconsultingpracticeatSavvisandteachesatSANSInstitute.YoucanfindhimonTwitter.Specialthanks toSlavaFrid forfeedback.Page1of2.
CreativeCommonsv3“Attribution”Licenseforthischeatsheetversion1.2.SeeLenny’sother cheatsheets.
Page1of2
pf2

Partial preview of the text

Download Security Architecture Cheat Sheet and more Cheat Sheet Architecture in PDF only on Docsity!

SECURITY

ARCHITECTURE

CHEAT

SHEET

FOR

INTERNET

APPLICATIONS

This cheat sheet offers tips for the initial design and review of an application’s security architecture.

BUSINESS

REQUIREMENTS

Business

Model

What is the application’s primary business purpose? How will the application make money? What are the planned business milestones for developing or improving the application? How is the application marketed? What key benefits does the application offer users? What business continuity provisions have been defined for the application? What geographic areas does the application service?

Data

Essentials

What data does the application receive, produce, and process? How can the data be classified into categories according to its sensitivity? How might an attacker benefit from capturing or modifying the data? What data backup and retention requirements have been defined for the application?

End

‐Users

Who are the application’s end ‐users? How do the end ‐users interact with the application? What security expectations do the end ‐users have?

Partners Which

third ‐parties supply data to the application? Which third ‐parties receive data from the applications? Which third ‐parties process the application’s data? What mechanisms are used to share data with third

parties besides the application itself? What security requirements do the partners impose?

Administrators Who

has administrative capabilities in the application? What administrative capabilities does the application

offer? Regulations In

what industries does the application operate? What security ‐related regulations apply? What auditing and compliance regulations apply?

INRASTRUCTURE

REQUIREMENTS

Network What

details regarding routing, switching, firewalling, and load ‐balancing have been defined? What network design supports the application? What core network devices support the application? What network performance requirements exist? What private and public network links support the

application? Systems What

operating systems support the application? What hardware requirements have been defined? What details regarding required

OS

components and lock ‐down needs have been defined?

Infrastructure

Monitoring

What network and system performance monitoring requirements have been defined? What mechanisms exist to detect malicious code or compromised application components? What network and system security monitoring requirements have been defined?

Virtualization

and

Externalization

What aspects of the application lend themselves to virtualization? What virtualization requirements have been defined for the application? What aspects of the product may or may not be hosted via the cloud computing model?

APPLICATION

REQUIREMENTS

Environment What

frameworks and programming languages have been used to create the application? What process, code, or infrastructure dependencies have been defined for the application? What databases and application servers support the

application? Data

Processing

What data entry paths does the application support? What data output paths does the application support? How does data flow across the application’s internal components? What data input validation requirements have been defined? What data does the application store and how? What data is or may need to be encrypted and what key management requirements have been defined? What capabilities exist to detect the leakage of sensitive data? What encryption requirements have been defined for data in transit over

WAN

and

LAN

links? Authored by Lenny Zeltser ,^ who leads the security consulting practice at Savvis and teaches at SANS Institute. You can find him on Twitter

.^ Special thanks to Slava Frid for feedback. Page 1 of

  1. Creative Commons v “Attribution” License for this cheat sheet version 1.2. See Lenny’s other cheat sheets. Page

of

Authored by Lenny Zeltser ,^ who leads the security consulting practice at Savvis and teaches at SANS Institute. You can find him on Twitter

.^ Special thanks to Slava Frid for feedback. Page 2 of

  1. Creative Commons v “Attribution” License for this cheat sheet version 1.1. See Lenny’s other cheat sheets. Which personnel oversees security processes and requirements related to the application? What employee initiation and termination procedures have been defined? What controls exist to protect a compromised in the corporate environment from affecting production? What security governance requirements have been defined? ISO

Standard: Code of Practice http://www.iso.org/iso/catalogue... BITS Standards for Vendor Assessments http://www.sharedassessments.org/download... Payment Card Industry

(PCI)

Data Security Standard https://www.pcisecuritystandards.org/security... IT Infrastructure Threat Modeling Guide What http://www.microsoft.com/downloads... security training do developers and administrators undergo? What application requirements impose the need to enforce the principle of separation of duties? Guidance for Critical Areas

in Cloud Computing http://www.cloudsecurityalliance.org/guidance... How to Write an Information Security Policy What http://www.csoonline.com/article/print/ corporate security program requirements have been defined? OWASP Guide to Building Secure Web Applications http://www.owasp.org/index.php/OWASP_Guide... Page

of

What secure coding processes have been

established? Additional

Resources

Corporate

What staging, testing, and Quality Assurance requirements have been defined? What access to system and network administrators have to the application’s sensitive data? What security incident requirements have been defined? What physical controls restrict access to the application’s components and data? What is the process for granting access to the environment hosting the application? What mechanisms exist to detect violations of change management practices? How do developers assist with troubleshooting and debugging the application? What requirements have been defined for controlling access to the applications source code? What is the process for identifying and addressing vulnerabilities in network and system components? How do administrators access production infrastructure to manage it? How are changes to the infrastructure controlled? What is the process for identifying and addressing vulnerabilities in the application? What data is available to developers for testing?

SECURITY

PROGRAM

REQUIREMENTS

How are changes to the code controlled? How is code deployed to production?

Software

Development

Change

Management

Operations

What user identification and authentication requirements have been defined? What session management requirements have been defined? What application performance monitoring requirements have been defined? What application security monitoring requirements have been defined? What application error handling and logging requirements have been defined? How many logical tiers group the application's What components? access requirements have been defined for

URI

and Service calls? What user authorization requirements have been defined? How are user identities maintained throughout transaction calls? How are audit and debug logs accessed, stored, and secured? How is intermediate or in ‐process data stored in the application components’ memory and in cache? What application design review practices have been defined and executed? What application auditing requirements have been What defined? user access restrictions have been defined? What user privilege levels does the application

support? Application

Monitoring

Application

Design

Access