Security Engineering
- J.D. Meier
This security engineering approach includes specific security-related activities that help you meet your application security objectives.
Security Overlay
Key Activities in the Life Cycle
This Security Engineering approach extends these proven core activities to create security specific activities. These activities include:
- Security Objectives
- Threat Modeling
- Security Design Guidelines
- Security Design Inspection
- Security Code Inspection
- Security Testing
- Security Deployment Inspection
Summary of Key Activities in the Life Cycle
This Security Engineering approach extends these proven core activities to create security specific activities. These activities include:
- Security Objectives. Setting objectives helps you scope and prioritize your work by setting boundaries and constraints. Setting security objectives helps you identify where to start, how to proceed, and when you are done.
- Threat Modeling. Threat modeling is an engineering technique that can help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can use threat modeling to shape your application's design, meet your company's security objectives, and reduce risk.
- Security Design Guidelines. Creating design guidelines is a common practice at the start of an application project to guide development and share knowledge across the team. Effective design guidelines for security organize security principles, practices, and patterns by actionable categories.
- Security Design Inspection. Security design inspections are an effective way to identify problems in your application design. By using pattern-based categories and a question-driven approach, you simplify evaluating your design against root cause security issues.
- Security Code Inspection. Many security defects are found during code reviews. Analyzing code for security defects includes knowing what to look for and how to look for it. Security code inspections optimize inspecting code for common security issues.
- Security Testing. Use a risk-based approach and use the output from the threat modeling activity to help establish the scope of your testing activities and define your test plans.
- Security Deployment Inspection. When you deploy your application during your build process or staging process, you have an opportunity to evaluate runtime characteristics of your application in the context of your infrastructure. Deployment reviews for security focus on evaluating your security design and configuration of your application, host, and network.
Security Engineering Explained
Activities
|
Security Objectives
|
Security Design Inspections
|
Artifacts
|
Threat Model |
Building Codes
|
Guidelines Recommendations address "what to do", "why", and "how." The recommendations are principle-based and they are organized using categories for easy consumption.
|
Checklists Checklist items present a verification to perform ("what to check for", "how to check" and "how to fix"). The checklist items are principle-based and they are organized using categories for easy consumption.
Design
|
