An application security design review can provide an organization with the information they need to assess potential treats to applications as well as what it’ll take to remediate and minimize the risk surrounding inadequate security. Like any security assessment or test the underlining goal is to reduce financial loss, brand degradation and loss of consumer confidence.
What Takes Place in a Review?
You should start your application security design review by following something such as the OWASP Application Security Verification Standard template and then follow it with a threat model. This will help create possible attacks that should be considered by testers. There are several threat models already in existence to choose from, Microsoft has one as do others.
You will want to sit down with your team and define what your unique application security design review should look like, create documentation to manage along with the threat model you’ve chosen. Through this process you will be able to create a framework for potential attacks that might materialize through your organization.
When Should a Review Take Place?
It can actually be performed at any time during the development life cycle as long as the design feature has been completed. That being said, it’s best to perform an application security design review after your application team has just finalized the design phase and just prior to the development of code starts. This will give the coding team more direction on what should be undertaken to ensure better and more secure coding practices.
Final Thoughts on the Review Process
Security should be forethought, not an afterthought. A review process takes time for development teams to embrace, as well as management. Regular improvements early on will start to yield noticeable returns on investments in the area of back-end testing, reduced vulnerabilities during the release cycle and other areas.
Along with having a strong application security development review it’s important to provide regular application security training for developers to keep them fresh and thinking about security. The mix of both a good review and training will help your organization takes leaps in the area of developing secure code.