SSDL Touchpoints: Architecture Analysis (AA)

The overall goal of the Architecture Analysis practice is quality control. Those performing architecture analysis must ensure the detection and correction of security flaws. Software architects must enforce adherence to standards and the reuse of approved security features.

SSDL TOUCHPOINTS: ARCHITECTURE ANALYSIS
Capturing software architecture diagrams, applying lists of risks and threats, adopting a process for review, building an assessment and remediation plan.
  Objective Activity Level
AA1.1 get started with AA perform security feature review 1
AA1.2 demonstrate value of AA with real data perform design review for high-risk applications
AA1.3 build internal capability on security architecture have SSG lead review efforts
AA1.4 have a lightweight approach to risk classification and prioritization use risk questionnaire to rank apps
AA2.1 model objects define/use AA process 2
AA2.2 promote a common language for describing architecture standardize architectural descriptions (include data flow)
AA2.3 build capability organization-wide make SSG available as AA resource/mentor
AA3.1 build capabilities organization-wide have software architects lead review efforts 3
AA3.2 build proactive security architecture drive analysis results into standard architectural patterns (T: sec features/design)
one

AA Level 1: Perform risk-driven AA reviews, led by the SSG. The organization must provide a lightweight software risk classification. The SSG must begin leading architecture analysis efforts, particularly on high-risk applications, as a way to build internal capability and demonstrate value at the design level.

AA1.1

Perform security feature review. To get started with architecture analysis, center the analysis process on a review of security features. Reviewers first identify the security features in an application (authentication, access control, use of cryptography, etc.) then study the design looking for problems that would cause these features to fail at their purpose or otherwise prove insufficient. At higher levels of maturity this activity is eclipsed by a more thorough approach to architecture analysis not centered on features.

AA1.2

Perform design review for high-risk applications. The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work.

AA1.3

Have SSG lead review efforts. The SSG takes a lead role in performing architecture analysis in order to begin building the organization's ability to uncover design flaws. Architecture analysis is enough of an art that the SSG needs to be proficient at it before they can turn the job over to the architects, and proficiency requires practice. The SSG cannot be successful on its own either—they will likely need help from the architects or implementers in order to understand the design. With a clear design in hand, the SSG might carry out the analysis with a minimum of interaction with the project team. At higher levels of maturity, the responsibility for leading review efforts shifts towards software architects.

AA1.4

Use risk questionnaire to rank applications. At the beginning of the AA process, the SSG uses a risk questionnaire to collect basic information about each application so that it can determine a risk classification and prioritization scheme. Questions might include, "Which programming languages is the application written in?," "Who uses the application?," and "Does the application handle PII?" A qualified member of the application team completes the questionnaire. The questionnaire is short enough to be completed in a matter of hours. The SSG might use the answers to bucket the application as high, medium, or low risk.

two

AA Level 2: Provide outreach on use of documented AA process. The SSG must facilitate organization-wide use of architecture analysis by making itself available as a resource and mentor. The SSG must define an architecture analysis process based on a common architecture description language and standard attack models.

AA2.1

Define/use AA process. The SSG defines a process for performing architecture analysis and applies it in the reviews it conducts. The process includes a standardized approach for thinking about attacks and security properties. The process is defined rigorously enough that people outside the SSG can be taught to carry it out. Microsoft's STRIDE and Cigital's ARA are examples of such a process.

AA2.2

Standardize architectural descriptions (include data flow). The organization uses an agreed-upon format for describing architecture, including a means for representing data flow. This format, together with the architecture analysis process, makes architecture analysis tractable for people who are not security experts.

AA2.3

Make SSG available as AA resource/mentor. In order to build an architecture analysis capability outside of the SSG, the SSG advertises itself as a resource or mentor for teams who ask for help conducting their own analysis. The SSG will answer architecture analysis questions during office hours, and in some cases might assign someone to sit side-by-side with the architect for the duration of the analysis.

three

AA Level 3: Build review and remediation capability within the architects group. Software architects must lead analysis efforts across the organization and must use analysis results to update and create standard architecture patterns that are secure.

AA3.1

Have software architects lead review efforts. Software architects throughout the organization lead the architecture analysis process most of the time. The SSG might still contribute to architecture analysis in an advisory capacity or under special circumstances.