Security Engineering

From Guidance Share

Jump to: navigation, search

- J.D. Meier

This security engineering approach includes specific security-related activities that help you meet your application security objectives.


Security Overlay

Image:SecurityEngineering.gif


Key Activities in the Life Cycle

This Security Engineering approach extends these proven core activities to create security specific activities. These activities include:


Summary of Key Activities in the Life Cycle

This Security Engineering approach extends these proven core activities to create security specific activities. These activities include:

  • Security Objectives. Setting objectives helps you scope and prioritize your work by setting boundaries and constraints. Setting security objectives helps you identify where to start, how to proceed, and when you are done.
  • Threat Modeling. Threat modeling is an engineering technique that can help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk.
  • Security Design Guidelines. Creating design guidelines is a common practice at the start of an application project to guide development and share knowledge across the team. Effective design guidelines for security organize security principles, practices, and patterns by actionable categories.
  • Security Design Inspection. Security design inspections are an effective way to identify problems in your application design. By using pattern-based categories and a question-driven approach, you simplify evaluating your design against root cause security issues.
  • Security Code Inspection. Many security defects are found during code reviews. Analyzing code for security defects includes knowing what to look for and how to look for it. Security code inspections optimize inspecting code for common security issues.
  • Security Testing. Use a risk-based approach and use the output from the threat modeling activity to help establish the scope of your testing activities and define your test plans.
  • Security Deployment Inspection. When you deploy your application during your build process or staging process, you have an opportunity to evaluate runtime characteristics of your application in the context of your infrastructure. Deployment reviews for security focus on evaluating your security design and configuration of your application, host, and network.


Security Engineering Explained


Activities

Security Objectives


Threat Modeling


Security Design Guidelines


Security Design Inspections


Security Code Inspections


Security Deployment Inspections

Artifacts

Threat Model


Building Codes

Guidelines

Recommendations address "what to do", "why", and "how." The recommendations are principle-based and they are organized using categories for easy consumption.


Design


.NET Framework 2.0


.NET Framework 1.1

Checklists

Checklist items present a verification to perform ("what to check for", "how to check" and "how to fix"). The checklist items are principle-based and they are organized using categories for easy consumption.


Design


.NET Framework 2.0


.NET Framework 1.1


Related Items


Personal tools