Architecture (A2): SDL Activities and Best Practices 93
• Tiered structure that should be part of Web applications is not
developed fully (or at least not part of this DFD). This might sim-
plify the diagram but may also hide some use cases and flows.
The DFD in Figure 4.5 is an example of *aaS based services provided
to customers. Instead of a traditional Web application, this DFD shows
an example of how customers access services through a cloud provider.
The most obvious security control in this case is protecting customer
data through cloud operations. Customers can access service in multi-
ple ways—through API calls, Web applications, or custom application
development.
Examining the flow diagram more closely, we notice the following:
• There is no distinction between application access through an API
or the Web.
• Cloud operations is a high-level abstraction for more detailed cloud
operations architecture.
• The DFD does not tell us anything about segmentation between
different customers.
• It also does not show how secure the data is—i.e., is it encrypted, are
Web servers talking only to database servers in a cluster or is com-
munication any-any?
Getting the DFD right is key to getting the threat model right. Spend
enough time on yours, making sure all the pieces of your system are repre-
sented. Each of the elements (processes, data stores, data flows, and inter-
actors) has a set of threats to which it is susceptible, as you can see in
Figure 4.6. This chart, along with your DFD, gives you a framework for
investigating how your system might fail.
5
The DFD process requires not only that you think like an attacker
but possibly like multiple attackers, particularly if your software pro-
duct is going to be operating in the could or a SaaS environment. Once
the DFD is completed, you should have an accurate overview of the
how data is processed by the software, including how it moves and what
happens to it within the application and others that may be associated
with it. The high levels of the DFD clarify the scope of the applica-
tion, and the lower levels clarify processes involved when specific data
is being processed.