- You evaluate the preventive, detective, and response capabilities of security controls
- You evaluate the strategy alignment, appropriate support, and scalability of security controls
- You evaluate the effectiveness at least yearly
- You log identified shortcomings as defects
Description
Review the effectiveness of the architecture components and their provided security mechanisms in terms of alignment with the overall strategy of the organization, and scrutinize the degree of availability, scalability and enterprise-readiness of the chosen security solutions. While tactical choices for a particular application can make sense in specific contexts, it is important to keep an eye on the bigger picture and ensure future readiness of the designed solution.
Feed any findings back into defect management to trigger further improvements to the architecture.
Recommended vendor for Architecture Validation
Visualize, verify, and review your architecture for security effectiveness with IcePanel. Collaborate with your team to design and evaluate system architecture at different levels of detail using the C4 model. Create interactive flows with tags to visualize data flows and identify vulnerable parts of your system. Save time from maintaining multiple diagrams, as changes are synced automatically from your model.
Why we like IcePanel: We love IcePanel because it offers an incredibly versatile and user-friendly solution for creating architecture diagrams using C4 model. It provides a systematic approach that not only supports the Architecture Mitigation practice, but also serves as an excellent tool for documenting and sharing architectures. With its context view, IcePanel delivers valuable input for threat modeling, making it an essential asset for any security-focused development team.
Click here to learn how IcePanel simplifies secure software architecture.
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- You have an agreed upon model of the overall software architecture
- You include components, interfaces, and integrations in the architecture model
- You verify the correct provision of general security mechanisms
- You log missing security controls as defects
Description
Create a view of the overall architecture and examine it for the correct provision of general security mechanisms such as authentication, authorization, user and rights management, secure communication, data protection, key management and log management. Also consider the support for privacy. Do this based on project artifacts such as architecture or design documents, or interviews with business owners and technical staff. Also consider the infrastructure components - these are all the systems, components and libraries (including SDKs) that are not specific to the application, but provide direct support to use or manage the application(s) in the organisation.
Note any security-related functionality in the architecture and review its correct provision. Do this in an ad-hoc manner, from the point of view of anonymous users, authorized users, and specific application roles.
Recommended vendor for Architecture Validation
Visualize, verify, and review your architecture for security effectiveness with IcePanel. Collaborate with your team to design and evaluate system architecture at different levels of detail using the C4 model. Create interactive flows with tags to visualize data flows and identify vulnerable parts of your system. Save time from maintaining multiple diagrams, as changes are synced automatically from your model.
Why we like IcePanel: We love IcePanel because it offers an incredibly versatile and user-friendly solution for creating architecture diagrams using C4 model. It provides a systematic approach that not only supports the Architecture Mitigation practice, but also serves as an excellent tool for documenting and sharing architectures. With its context view, IcePanel delivers valuable input for threat modeling, making it an essential asset for any security-focused development team.
Click here to learn how IcePanel simplifies secure software architecture.
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- You review compliance with internal and external requirements
- You systematically review each interface in the system
- You use a formalized review method and structured validation
- You log missing security mechanisms as defects
Description
Verify that the solution architecture addresses all identified security and compliance requirements. For each interface in the application, iterate through the list of security and compliance requirements and analyze the architecture for their provision. Also perform an interaction or data flow analysis to ensure that the requirements are adequately addressed over different components. Elaborate the analysis to show the design-level features that address each requirement.
Perform this type of analysis on both internal interfaces, e.g. between tiers, as well as external ones, e.g. those comprising the attack surface. Also identify and validate important design decisions made as part of the architecture, in particular when they deviate from the available shared security solutions in the organization. Finally, update the findings based on changes made during the development cycle, and note any requirements that are not clearly provided at the design level as assessment findings.
Recommended vendor for Architecture Validation
Visualize, verify, and review your architecture for security effectiveness with IcePanel. Collaborate with your team to design and evaluate system architecture at different levels of detail using the C4 model. Create interactive flows with tags to visualize data flows and identify vulnerable parts of your system. Save time from maintaining multiple diagrams, as changes are synced automatically from your model.
Why we like IcePanel: We love IcePanel because it offers an incredibly versatile and user-friendly solution for creating architecture diagrams using C4 model. It provides a systematic approach that not only supports the Architecture Mitigation practice, but also serves as an excellent tool for documenting and sharing architectures. With its context view, IcePanel delivers valuable input for threat modeling, making it an essential asset for any security-focused development team.
Click here to learn how IcePanel simplifies secure software architecture.
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.