Security Requirements
How can one build security into a solution if there are no well-defined security requirements?
Design
A secure solution begins with a good design! Much of the foundation for assessing whether a solution is secure comes from the design phase, where important trade-offs between cost, benefit, and risk must be made.
The articles you find under the topic design on this page will focus on the design process. Although this process may include much more than we have listed, we cover the essentials such as thorough documentation of what is to be built, critical clarifications, and the need for context.
Network Concepts
Network is a fundamental component in everything we create, and it is important to have a basic understanding of how it works and how it can be exploited by others.
Segregation of Environments
Development projects use different environments for various purposes, such as testing deployments in a dedicated dev environment, exposing the test environment to product owners and other key personnel, and the production environment to end users. To avoid incidents in one environment affecting another, we must segregate them at a level that makes sense for the team and the context in which we work.
Authentication and Authorization
Authentication and authorization check respectively who you are and what you are allowed to do. These are important concepts that must be correctly implemented to ensure the security of a solution.
Threat Modeling
Threat modeling is an exercise where the goal is to identify threats in and around a solution. This makes it possible to identify and assess risk against the overall security posture of the solution. Based on a threat model, mitigating measures can be identified and implemented to reduce risk.
System diagrams and drawings
It’s important to have a good foundation when building quality solutions, and drawings and diagrams showing the infrastructure, data flow, networks, and access control are crucial elements. Without this information, it is difficult to validate if the implementation matches the intended design.