Difference between revisions of "Application Security Architecture Cheat Sheet"

From OWASP
Jump to: navigation, search
(Authors and Primary Editors)
m (Minor)
Line 1: Line 1:
 +
<br/>
 
= DRAFT CHEAT SHEET - WORK IN PROGRESS =
 
= DRAFT CHEAT SHEET - WORK IN PROGRESS =
 +
 +
<br/>
 
= Introduction =  
 
= Introduction =  
This cheat sheet offers tips for the initial design and review of an application’s security architecture.
+
 
 +
This cheat sheet offers tips for the initial design and review of an application's security architecture.
  
 
<br/>
 
<br/>
 
= Business Requirements =  
 
= Business Requirements =  
 +
 
== Business Model ==
 
== Business Model ==
* What is the application’s primary business purpose?
+
 
 +
* What is the application's primary business purpose?
 
* How will the application make money?
 
* How will the application make money?
 
* What are the planned business milestones for developing or improving the application?
 
* What are the planned business milestones for developing or improving the application?
Line 13: Line 19:
 
* What business continuity provisions have been defined for the application?
 
* What business continuity provisions have been defined for the application?
 
* What geographic areas does the application service?
 
* What geographic areas does the application service?
 +
 
== Data Essentials ==
 
== Data Essentials ==
 +
 
* What data does the application receive, produce, and process?
 
* What data does the application receive, produce, and process?
 
* How can the data be classified into categories according to its sensitivity?
 
* How can the data be classified into categories according to its sensitivity?
 
* How might an attacker benefit from capturing or modifying the data?
 
* How might an attacker benefit from capturing or modifying the data?
 
* What data backup and retention requirements have been defined for the application?
 
* What data backup and retention requirements have been defined for the application?
 +
 
== End‐Users ==
 
== End‐Users ==
* Who are the application’s end‐users?
+
 
 +
* Who are the application's end‐users?
 
* How do the end‐users interact with the application?
 
* How do the end‐users interact with the application?
 
* What security expectations do the end‐users have?
 
* What security expectations do the end‐users have?
 +
 
== Partners ==
 
== Partners ==
* Which third‐parties supply data to the application?
+
 
* Which third‐parties receive data from the applications?
+
* Which third parties supply data to the application?
* Which third‐parties process the application’s data?
+
* Which third parties receive data from the applications?
 +
* Which third parties process the application's data?
 
* What mechanisms are used to share data with third‐parties besides the application itself?
 
* What mechanisms are used to share data with third‐parties besides the application itself?
 
* What security requirements do the partners impose?
 
* What security requirements do the partners impose?
 +
 
== Administrators ==
 
== Administrators ==
 +
 
* Who has administrative capabilities in the application?
 
* Who has administrative capabilities in the application?
 
* What administrative capabilities does the application offer?
 
* What administrative capabilities does the application offer?
 +
 
== Regulations ==
 
== Regulations ==
 +
 
* In what industries does the application operate?
 
* In what industries does the application operate?
 
* What security‐related regulations apply?
 
* What security‐related regulations apply?
Line 38: Line 54:
 
<br/>
 
<br/>
 
= Infrastructure Requirements =  
 
= Infrastructure Requirements =  
 +
 
== Network ==
 
== Network ==
 
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?
 
* What details regarding routing, switching, firewalling, and load‐balancing have been defined?
Line 44: Line 61:
 
* What network performance requirements exist?
 
* What network performance requirements exist?
 
* What private and public network links support the application?
 
* What private and public network links support the application?
 +
 
== Systems ==
 
== Systems ==
 
* What operating systems support the application?
 
* What operating systems support the application?
 
* What hardware requirements have been defined?
 
* What hardware requirements have been defined?
 
* What details regarding required OS components and lock‐down needs have been defined?
 
* What details regarding required OS components and lock‐down needs have been defined?
 +
 
== Infrastructure Monitoring ==
 
== Infrastructure Monitoring ==
 
* What network and system performance monitoring requirements have been defined?
 
* What network and system performance monitoring requirements have been defined?
 
* What mechanisms exist to detect malicious code or compromised application components?
 
* What mechanisms exist to detect malicious code or compromised application components?
 
* What network and system security monitoring requirements have been defined?
 
* What network and system security monitoring requirements have been defined?
 +
 
== Virtualization and Externalization ==
 
== Virtualization and Externalization ==
 
* What aspects of the application lend themselves to virtualization?
 
* What aspects of the application lend themselves to virtualization?
Line 59: Line 79:
 
<br/>
 
<br/>
 
= Application Requirements =
 
= Application Requirements =
 +
 
== Environment ==
 
== Environment ==
 
* What frameworks and programming languages have been used to create the application?
 
* What frameworks and programming languages have been used to create the application?
 
* What process, code, or infrastructure dependencies have been defined for the application?
 
* What process, code, or infrastructure dependencies have been defined for the application?
 
* What databases and application servers support the application?
 
* What databases and application servers support the application?
 +
 
== Data Processing ==
 
== Data Processing ==
 
* What data entry paths does the application support?
 
* What data entry paths does the application support?
 
* What data output paths does the application support?
 
* What data output paths does the application support?
* How does data flow across the application’s internal components?
+
* How does data flow across the application's internal components?
 
* What data input validation requirements have been defined?
 
* What data input validation requirements have been defined?
 
* What data does the application store and how?
 
* What data does the application store and how?
Line 86: Line 108:
 
* What application error handling and logging requirements have been defined?
 
* What application error handling and logging requirements have been defined?
 
* How are audit and debug logs accessed, stored, and secured?
 
* How are audit and debug logs accessed, stored, and secured?
 +
 
== Application Design ==
 
== Application Design ==
 
* What application design review practices have been defined and executed?
 
* What application design review practices have been defined and executed?
Line 94: Line 117:
 
<br/>
 
<br/>
 
= Security Program Requirements =
 
= Security Program Requirements =
 +
 
== Operations ==
 
== Operations ==
 
* What is the process for identifying and addressing vulnerabilities in the application?
 
* What is the process for identifying and addressing vulnerabilities in the application?
Line 102: Line 126:
 
* What physical controls restrict access to the application's components and data?
 
* What physical controls restrict access to the application's components and data?
 
* What is the process for granting access to the environment hosting the application?
 
* What is the process for granting access to the environment hosting the application?
 +
 
== Change Management ==
 
== Change Management ==
 
* How are changes to the code controlled?
 
* How are changes to the code controlled?
Line 107: Line 132:
 
* How is code deployed to production?
 
* How is code deployed to production?
 
* What mechanisms exist to detect violations of change management practices?
 
* What mechanisms exist to detect violations of change management practices?
 +
 
== Software Development ==
 
== Software Development ==
 
* What data is available to developers for testing?
 
* What data is available to developers for testing?
Line 112: Line 138:
 
* What requirements have been defined for controlling access to the applications source code?
 
* What requirements have been defined for controlling access to the applications source code?
 
* What secure coding processes have been established?
 
* What secure coding processes have been established?
 +
 
== Corporate ==
 
== Corporate ==
 
* What corporate security program requirements have been defined?
 
* What corporate security program requirements have been defined?

Revision as of 13:33, 4 November 2015


DRAFT CHEAT SHEET - WORK IN PROGRESS


Introduction

This cheat sheet offers tips for the initial design and review of an application's security architecture.


Business Requirements

Business Model

  • What is the application's primary business purpose?
  • How will the application make money?
  • What are the planned business milestones for developing or improving the application?
  • How is the application marketed?
  • What key benefits does application offer its users?
  • What business continuity provisions have been defined for the application?
  • What geographic areas does the application service?

Data Essentials

  • What data does the application receive, produce, and process?
  • How can the data be classified into categories according to its sensitivity?
  • How might an attacker benefit from capturing or modifying the data?
  • What data backup and retention requirements have been defined for the application?

End‐Users

  • Who are the application's end‐users?
  • How do the end‐users interact with the application?
  • What security expectations do the end‐users have?

Partners

  • Which third parties supply data to the application?
  • Which third parties receive data from the applications?
  • Which third parties process the application's data?
  • What mechanisms are used to share data with third‐parties besides the application itself?
  • What security requirements do the partners impose?

Administrators

  • Who has administrative capabilities in the application?
  • What administrative capabilities does the application offer?

Regulations

  • In what industries does the application operate?
  • What security‐related regulations apply?
  • What auditing and compliance regulations apply?


Infrastructure Requirements

Network

  • What details regarding routing, switching, firewalling, and load‐balancing have been defined?
  • What network design supports the application?
  • What core network devices support the application?
  • What network performance requirements exist?
  • What private and public network links support the application?

Systems

  • What operating systems support the application?
  • What hardware requirements have been defined?
  • What details regarding required OS components and lock‐down needs have been defined?

Infrastructure Monitoring

  • What network and system performance monitoring requirements have been defined?
  • What mechanisms exist to detect malicious code or compromised application components?
  • What network and system security monitoring requirements have been defined?

Virtualization and Externalization

  • What aspects of the application lend themselves to virtualization?
  • What virtualization requirements have been defined for the application?
  • What aspects of the product may or may not be hosted via the cloud computing model?


Application Requirements

Environment

  • What frameworks and programming languages have been used to create the application?
  • What process, code, or infrastructure dependencies have been defined for the application?
  • What databases and application servers support the application?

Data Processing

  • What data entry paths does the application support?
  • What data output paths does the application support?
  • How does data flow across the application's internal components?
  • What data input validation requirements have been defined?
  • What data does the application store and how?
  • What data is or may need to be encrypted and what key management requirements have been defined?
  • What capabilities exist to detect the leakage of sensitive data?
  • What encryption requirements have been defined for data in transit over WAN and LAN links?

Access

  • What user privilege levels does the application support?
  • What user identification and authentication requirements have been defined?
  • What user authorization requirements have been defined?
  • What session management requirements have been defined?
  • What access requirements have been defined for URI and Service calls?
  • What user access restrictions have been defined?
  • How are user identities maintained throughout transaction calls?

Application Monitoring

  • What application auditing requirements have been defined?
  • What application performance monitoring requirements have been defined?
  • What application security monitoring requirements have been defined?
  • What application error handling and logging requirements have been defined?
  • How are audit and debug logs accessed, stored, and secured?

Application Design

  • What application design review practices have been defined and executed?
  • How is intermediate or in-process data stored in the application components' memory and in cache?
  • How many logical tiers group the application's components?
  • What staging, testing, and Quality Assurance requirements have been defined?


Security Program Requirements

Operations

  • What is the process for identifying and addressing vulnerabilities in the application?
  • What is the process for identifying and addressing vulnerabilities in network and system components?
  • What access to system and network administrators have to the application's sensitive data?
  • What security incident requirements have been defined?
  • How do administrators access production infrastructure to manage it?
  • What physical controls restrict access to the application's components and data?
  • What is the process for granting access to the environment hosting the application?

Change Management

  • How are changes to the code controlled?
  • How are changes to the infrastructure controlled?
  • How is code deployed to production?
  • What mechanisms exist to detect violations of change management practices?

Software Development

  • What data is available to developers for testing?
  • How do developers assist with troubleshooting and debugging the application?
  • What requirements have been defined for controlling access to the applications source code?
  • What secure coding processes have been established?

Corporate

  • What corporate security program requirements have been defined?
  • What security training do developers and administrators undergo?
  • Which personnel oversees security processes and requirements related to the application?
  • What employee initiation and termination procedures have been defined?
  • What application requirements impose the need to enforce the principle of separation of duties?
  • What controls exist to protect a compromised in the corporate environment from affecting production?
  • What security governance requirements have been defined?

Authors and Primary Editors

Lenny Zeltser - First Draft 2012

Tony Turner - 2015 Format Change and Revisions

Other Cheatsheets

OWASP Cheat Sheets Project Homepage