Scribd Logo
Upload

Welcome to Scribd!

  • Security Architecture Cheat Sheet PDF

    Uploaded by

    John Jacobs
    14 views2 pages

    Original Title

    security-architecture-cheat-sheet.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views2 pages

    Security Architecture Cheat Sheet PDF

    Uploaded by

    John Jacobs

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Page1of2

    SECURITYARCHITECTURECHEATSHEET Whichthirdpartiesprocesstheapplicationsdata? Whatnetworkandsystemsecuritymonitoring


    requirementshavebeendefined?
    FORINTERNETAPPLICATIONS Whatmechanismsareusedtosharedatawiththird
    Thischeatsheetofferstipsfortheinitialdesignand partiesbesidestheapplicationitself? VirtualizationandExternalization
    reviewofanapplicationssecurityarchitecture. Whatsecurityrequirementsdothepartnersimpose? Whataspectsoftheapplicationlendthemselvesto
    virtualization?
    #1:BUSINESSREQUIREMENTS Administrators
    Whohasadministrativecapabilitiesinthe Whatvirtualizationrequirementshavebeendefined
    BusinessModel fortheapplication?
    application?
    Whatistheapplicationsprimarybusinesspurpose? Whataspectsoftheproductmayormaynotbe
    Whatadministrativecapabilitiesdoestheapplication
    Howwilltheapplicationmakemoney? offer? hostedviathecloudcomputingmodel?
    Whataretheplannedbusinessmilestonesfor Regulations #3:APPLICATIONREQUIREMENTS
    developingorimprovingtheapplication? Inwhatindustriesdoestheapplicationoperate? Environment
    Howistheapplicationmarketed? Whatsecurityrelatedregulationsapply? Whatframeworksandprogramminglanguageshave
    Whatkeybenefitsdoestheapplicationofferusers? Whatauditingandcomplianceregulationsapply? beenusedtocreatetheapplication?
    Whatbusinesscontinuityprovisionshavebeen Whatprocess,code,orinfrastructuredependencies
    definedfortheapplication?
    #2:INRASTRUCTUREREQUIREMENTS
    havebeendefinedfortheapplication?
    Whatgeographicareasdoestheapplicationservice? Network
    Whatdatabasesandapplicationserverssupportthe
    Whatdetailsregardingrouting,switching, application?
    DataEssentials
    firewalling,andloadbalancinghavebeendefined?
    Whatdatadoestheapplicationreceive,produce, DataProcessing
    andprocess? Whatnetworkdesignsupportstheapplication?
    Whatdataentrypathsdoestheapplicationsupport?
    Howcanthedatabeclassifiedintocategories Whatcorenetworkdevicessupporttheapplication?
    Whatdataoutputpathsdoestheapplication
    accordingtoitssensitivity? Whatnetworkperformancerequirementsexist? support?
    Howmightanattackerbenefitfromcapturingor Whatprivateandpublicnetworklinkssupportthe Howdoesdataflowacrosstheapplicationsinternal
    modifyingthedata? application? components?
    Whatdatabackupandretentionrequirementshave Systems Whatdatainputvalidationrequirementshavebeen
    beendefinedfortheapplication? Whatoperatingsystemssupporttheapplication? defined?
    EndUsers Whathardwarerequirementshavebeendefined? Whatdatadoestheapplicationstoreandhow?
    Whoaretheapplicationsendusers? WhatdetailsregardingrequiredOScomponentsand Whatdataisormayneedtobeencryptedandwhat
    Howdotheendusersinteractwiththeapplication? lockdownneedshavebeendefined? keymanagementrequirementshavebeendefined?
    Whatsecurityexpectationsdotheendusershave? InfrastructureMonitoring Whatcapabilitiesexisttodetecttheleakageof
    Partners Whatnetworkandsystemperformancemonitoring sensitivedata?
    Whichthirdpartiessupplydatatotheapplication? requirementshavebeendefined? Whatencryptionrequirementshavebeendefined
    Whichthirdpartiesreceivedatafromthe Whatmechanismsexisttodetectmaliciouscodeor fordataintransitoverWANandLANlinks?
    applications? compromisedapplicationcomponents?

    AuthoredbyLennyZeltser,wholeadsthesecurityconsultingpracticeatSavvisandteachesatSANSInstitute.YoucanfindhimonTwitter.Specialthanks toSlavaFrid forfeedback.Page1of2.


    CreativeCommonsv3AttributionLicenseforthischeatsheetversion1.2.SeeLennysother cheatsheets.
    Page2of2
    Access Whatstaging,testing,andQualityAssurance Whatsecurecodingprocesseshavebeen
    Whatuserprivilegelevelsdoestheapplication requirementshavebeendefined? established?
    support? Corporate
    #4:SECURITYPROGRAMREQUIREMENTS
    Whatuseridentificationandauthentication Whatcorporatesecurityprogramrequirementshave
    Operations beendefined?
    requirementshavebeendefined?
    Whatistheprocessforidentifyingandaddressing
    Whatuserauthorizationrequirementshavebeen vulnerabilitiesintheapplication? Whatsecuritytrainingdodevelopersand
    defined? administratorsundergo?
    Whatistheprocessforidentifyingandaddressing
    Whatsessionmanagementrequirementshavebeen vulnerabilitiesinnetworkandsystemcomponents? Whichpersonneloverseessecurityprocessesand
    defined? requirementsrelatedtotheapplication?
    Whataccesstosystemandnetworkadministrators
    WhataccessrequirementshavebeendefinedforURI havetotheapplicationssensitivedata? Whatemployeeinitiationandtermination
    andServicecalls? procedureshavebeendefined?
    Whatsecurityincidentrequirementshavebeen
    Whatuseraccessrestrictionshavebeendefined? defined? Whatapplicationrequirementsimposetheneedto
    Howareuseridentitiesmaintainedthroughout enforcetheprincipleofseparationofduties?
    Howdoadministratorsaccessproduction
    transactioncalls? infrastructuretomanageit? Whatcontrolsexisttoprotectacompromisedinthe
    ApplicationMonitoring corporateenvironmentfromaffectingproduction?
    Whatphysicalcontrolsrestrictaccesstothe
    Whatapplicationauditingrequirementshavebeen applicationscomponentsanddata? Whatsecuritygovernancerequirementshavebeen
    defined? defined?
    Whatistheprocessforgrantingaccesstothe
    Whatapplicationperformancemonitoring environmenthostingtheapplication? AdditionalResources
    requirementshavebeendefined? OWASPGuidetoBuildingSecureWebApplications
    ChangeManagement http://www.owasp.org/index.php/OWASP_Guide...
    Whatapplicationsecuritymonitoringrequirements Howarechangestothecodecontrolled?
    havebeendefined? ISO27002Standard:CodeofPractice
    Howarechangestotheinfrastructurecontrolled? http://www.iso.org/iso/catalogue...
    Whatapplicationerrorhandlingandlogging
    requirementshavebeendefined? Howiscodedeployedtoproduction? BITSStandardsforVendorAssessments
    Whatmechanismsexisttodetectviolationsof http://www.sharedassessments.org/download...
    Howareauditanddebuglogsaccessed,stored,and
    secured? changemanagementpractices? GuidanceforCriticalAreas...inCloudComputing
    SoftwareDevelopment http://www.cloudsecurityalliance.org/guidance...
    ApplicationDesign
    Whatapplicationdesignreviewpracticeshavebeen Whatdataisavailabletodevelopersfortesting? PaymentCardIndustry(PCI)DataSecurityStandard
    definedandexecuted? Howdodevelopersassistwithtroubleshootingand https://www.pcisecuritystandards.org/security...
    Howisintermediateorinprocessdatastoredinthe debuggingtheapplication? HowtoWriteanInformationSecurityPolicy
    applicationcomponentsmemoryandincache? http://www.csoonline.com/article/print/495017
    Whatrequirementshavebeendefinedfor
    Howmanylogicaltiersgrouptheapplication's controllingaccesstotheapplicationssourcecode? ITInfrastructureThreatModelingGuide
    components? http://www.microsoft.com/downloads...

    AuthoredbyLennyZeltser,wholeadsthesecurityconsultingpracticeatSavvisandteachesatSANSInstitute.YoucanfindhimonTwitter.Specialthanks toSlavaFrid forfeedback.Page2of2.


    CreativeCommonsv3AttributionLicenseforthischeatsheetversion1.1.SeeLennysother cheatsheets.

    You might also like