Secure architecture design

For applications and systems

The earlier information security is considered in the life cycle of an application, the less will be the cost and timing of its implementation:

Project Plan

Картика 1

1.Determination of Initial Requirements

  • Business requirements
  • Regulation and legal requirements
  • Vendor requirements
  • IS configurations best practices
Ресурс 9@2x

2.Threat Modelling

  • Possible threats analysis
  • Response controls defining
Картинка 2

3.Security Architecture

  • Application architecture
  • Network and protection means architecture
Ресурс 6@2x

4.Technical Controls

  • Identification
  • Authentication
  • Authorization
  • Session Management
  • Input Validation
  • Cryptography
  • Error Handling
Картинка 5

5.Business Processes (nontechnical controls)

  • Testing
  • Developers education
  • Risk analysis
  • Monitoring and logging
  • Patching
  • Incident management
  • Change management
  • Physical security
  • Performance management
  • Vulnerability management
  • Penetration testing

In the requirements we consider  OWASP Top 10 and SANS CWE 25

CWE_SANS top 25

Top 25 most dangerous software errors CWE / SANS

  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CWE-306 Missing Authentication for Critical Function
  • CWE-862 Missing Authorization
  • CWE-798 Use of Hard-coded Credentials
  • CWE-311 Missing Encryption of Sensitive Data
  • CWE-434 Unrestricted Upload of File with Dangerous Type
  • CWE-807 Reliance on Untrusted Inputs in a Security Decision
  • CWE-250 Execution with Unnecessary Privileges
  • CWE-352 Cross-Site Request Forgery (CSRF)
  • CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • CWE-494 Download of Code Without Integrity Check
  • CWE-863 Incorrect Authorization
  • CWE-829 Inclusion of Functionality from Untrusted Control Sphere
  • CWE-732 Incorrect Permission Assignment for Critical Resource
  • CWE-676 Use of Potentially Dangerous Function
  • CWE-327 Use of a Broken or Risky Cryptographic Algorithm
  • CWE-131 Incorrect Calculation of Buffer Size
  • CWE-307 Improper Restriction of Excessive Authentication Attempts
  • CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
  • CWE-134 Uncontrolled Format String
  • CWE-190 Integer Overflow or Wraparound
  • CWE-759 Use of a One-Way Hash without a Salt
owasp top10

Top 10 most critical security risks for web-applications according to OWASP

  • A1 Injection
  • A2 Broken Authentication
  • A3 Sensitive Data Exposure
  • A4 XML External Entities (XXE)
  • A5 Broken Access Control
  • A6 Security Misconfiguration
  • A7 Cross-Site Scripting (XSS)
  • A8 Insecure Deserialization
  • A9 Using Components with Known Vulnerabilities
  • A10 Insufficient Logging & Monitoring

Our practices


Get a commercial offer or expert advice

Fill the form and we contact You.