Architecture Mitigation

Model | Verification | Architecture Assessment | Architecture Mitigation

Benefit

Assures that the architecture protects against typical security threats.

Activity

Review the architecture for typical security threats. Security-savvy technical staff conduct this analysis with input from architects, developers, managers, and business owners as needed, to ensure the architecture addresses all common threats which development teams lacking specialised security expertise may have overlooked.

Typical threats in an architecture can relate to incorrect assumptions in, or overly reliance on, the provisioning of security mechanisms such as authentication, authorization, user and rights management, secure communication, data protection, key management and log management. Threats, on the other hand, can also relate to known limitations of, or issues in, technological components or frameworks that are part of the solution and for which insufficient mitigation has been put in place.

Question

Do you review the application architecture for mitigations of typical threats on an ad-hoc basis?

Quality criteria

You have an agreed upon model of the overall software architecture
Security savvy staff conduct the review
You consider different types of threats, including insider and data-related ones

Answers

No
Yes, for some applications
Yes, for at least half of the applications
Yes, for most or all of the applications

Benefit

All identified threats to the application are adequately handled.

Activity

Systematically review each threat identified during the Threat Assessment activities and examine how the architecture mitigates them. Use a standardised process for analyzing system architectures and the flow of data within them. This is typically linked to the threat model used (e.g. STRIDE) in order to identify the relevant security objectives which address each type of threat. For each threat, identify the design-level features of the architecture which counter it and assess their effectiveness in doing so.

Where available, review architectural decision records to understand the architectural constraints and tradeoffs made during design. Take their impact into consideration along with any security assumptions on which the safe operation of the system relies and re-evaluate them.

Enrich your previously created threat model such that each threat and its estimated impact are linked to the corresponding counter measure. Produce a mapping document, or dashboard in a specialized tool, to make the information available and visible to the relevant stakeholders.

Question

Do you regularly evaluate the threats to your architecture?

Quality criteria

You systematically review each threat identified in the Threat Assessment
Trained or experienced people lead review exercise
You identify mitigating design-level features for each identified threat
You log unhandled threats as defects

Answers

No
Yes, for some applications
Yes, for at least half of the applications
Yes, for most or all of the applications

Benefit

Continuous improvement of enterprise architecture based on architecture reviews

Activity

As an organization, you can further improve your software security posture by understanding which threats remain unaddressed in the software architectures and adapting your tactics to prevent this. Formalize a process to use recurring architecture findings as a trigger to identify the causes of gaps in the security assessment and deal with them. Feed findings back to the Design phase by creating, or updating relevant reference architectures, existing security solutions, or organisation design principles and patterns.

Question

Do you regularly update your reference architectures based on architecture assessment findings?

Quality criteria

You assess your architectures in a standardized, documented manner
You use recurring findings to trigger a review of reference architectures
You independently review the quality of the architecture assessments on an ad-hoc basis
You use reference architecture updates to trigger reviews of relevant shared solutions, in a risk-based manner

Answers

No
Yes, for some applications
Yes, for at least half of the applications
Yes, for most or all of the applications

Stream Guidance

  • SAMM team guidance Google Doc

  • Be the first to add to the Community guidance for this Stream!

Want to contribute?

Complete this Google Form with guidance for this Stream.



To learn more about Stream guidance for the SAMM model, see the Stream guidance page.