A review and analysis of relevant applications artifacts (e.g. requirements, system security plan, business use cases, threat analysis) to identify how the data, application, and technology architecture of the solution protects critical assets, sensitive data stores and business-critical interconnections in accordance with the organization's business and security objectives. Key activities include:
- Leveraging the Threat Assessment (where available) to understand potential attack vectors to focus the audit activities on the most critical elements;
- Consult with members of the application development team and management to understand:
- the business goals and control objectives (security requirements) as they relate to data confidentiality, integrity, availability, and provability;
- ingress, egress, and intra-application data flows (and corresponding security treatment);
- application architecture and key application components;
- core technologies integral to the application and/or those that the application is reliant upon to achieve its security objectives; and,
- core operational processes integral to the applications and/or those that the application is reliant upon to achieve its security objectives.
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by an Application Security Architecture Review are:
- Provides a high-level of design assurance by looking at the application in a comprehensive and holistic manner;
- Findings can be used to identify other necessary assurance activities and to optimally focus downstream activities on relevant issues/targets for large scale enterprise level applications;
- Allows an entity to address security deficiencies in the design phase at the lowest possible cost.
Application Security Architecture Reviews are best used:
- During the early design phases of the development life cycle to ensure that security is "baked in" to the application. This approach reduces the likelihood that security will need to be "bolted on" to the application pre-deployment at greater expense and less efficacy.
- Post-design and pre-deployment to validate that the deployment is consistent with the design and to focus the certification and accreditation activities on those areas that will provide the greatest level of assurance.