- You evaluate the preventive, detective, and response capabilities of security controls
- You evaluate the strategy alignment, appropriate support, and scalability of security controls
- You evaluate the effectiveness at least yearly
- You log identified shortcomings as defects
Description
Review the effectiveness of the architecture components and their provided security mechanisms in terms of alignment with the overall strategy of the organization, and scrutinize the degree of availability, scalability and enterprise-readiness of the chosen security solutions. While tactical choices for a particular application can make sense in specific contexts, it is important to keep an eye on the bigger picture and ensure future readiness of the designed solution.
Feed any findings back into defect management to trigger further improvements to the architecture.
Endorsed Solutions for Mastering Architecture Validation
Become a Recommended Vendor for Architecture Validation! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Architecture Validation? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- You have an agreed upon model of the overall software architecture
- You include components, interfaces, and integrations in the architecture model
- You verify the correct provision of general security mechanisms
- You log missing security controls as defects
Description
Create a view of the overall architecture and examine it for the correct provision of general security mechanisms such as authentication, authorization, user and rights management, secure communication, data protection, key management and log management. Also consider the support for privacy. Do this based on project artifacts such as architecture or design documents, or interviews with business owners and technical staff. Also consider the infrastructure components - these are all the systems, components and libraries (including SDKs) that are not specific to the application, but provide direct support to use or manage the application(s) in the organisation.
Note any security-related functionality in the architecture and review its correct provision. Do this in an ad-hoc manner, from the point of view of anonymous users, authorized users, and specific application roles.
Endorsed Solutions for Mastering Architecture Validation
Become a Recommended Vendor for Architecture Validation! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Architecture Validation? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.
- You review compliance with internal and external requirements
- You systematically review each interface in the system
- You use a formalized review method and structured validation
- You log missing security mechanisms as defects
Description
Verify that the solution architecture addresses all identified security and compliance requirements. For each interface in the application, iterate through the list of security and compliance requirements and analyze the architecture for their provision. Also perform an interaction or data flow analysis to ensure that the requirements are adequately addressed over different components. Elaborate the analysis to show the design-level features that address each requirement.
Perform this type of analysis on both internal interfaces, e.g. between tiers, as well as external ones, e.g. those comprising the attack surface. Also identify and validate important design decisions made as part of the architecture, in particular when they deviate from the available shared security solutions in the organization. Finally, update the findings based on changes made during the development cycle, and note any requirements that are not clearly provided at the design level as assessment findings.
Endorsed Solutions for Mastering Architecture Validation
Become a Recommended Vendor for Architecture Validation! Are you a provider of cutting-edge products, processes, consultancy, or technology that aligns with Architecture Validation? Showcase your expertise and connect with organizations seeking solutions like yours. Apply now to become an endorsed vendor and help others achieve mastery!
Do you want to recommend a vendor to appear here? Recommend a vendor
OWASP Team guidance
This is the official guidance provided by the OWASP SAMM Team.
Community guidance
This guidance is based on the approved community submissions.