Architecture (A2): SDL Activities and Best Practices 101
1. Does your application audit activity across all tiers on all servers?
2. How are log files secured?
3. Does application log any sensitive information (e.g. credentials, data
elements, session tokens)?
4. Are log files transported securely (e.g. TCP/TLS)?
5. Is retention period clearly defined for log files? Does it align with
regulatory and legal requirements?
6. How often are logs rotated?
7. Are trigger levels defined for certain types of events?
Now that you have a visual representation of the threat and have
answered questions as above, the next step is to identify the threats
that may affect your software application. This is also where you bring
together elements of the software security group and the development
team for a whiteboard meeting to brainstorm cost-effective and practical
solutions to the vulnerabilities that have been identified in threat model-
ing. The goals of the attacker are addressed in relation to the threats and
questions during the STRIDE assessment. This is done from a somewhat
higher architectural and multifunctional perspective given the makeup
of the brainstorming team. It is also common practice to use any avail-
able categorized threat list and apply it to any of the vulnerabilities iden-
tified earlier.
The use of attack trees and attack patterns is a traditional approach to
threat assessment that can help you identify additional potential threats.
Although attack patterns represent commonly known attacks, their com-
bination with attack trees can be used for a greater depth of analysis high-
lighting areas you may have missed in your initial analysis or through
the use of categorized lists of known threats. Since attack trees are in a
hierarchical, structured, and flow diagram style, they give a great visual
representation of attacks and help focus efforts on potential additional
approaches to avoiding or mitigating such attacks. They are also useful
for the creation of test plans and the assessment of security costs. Since
the primary focus of attack patterns, attacker techniques, and STRIDE is
on the goals of the attacker, using them in combination with attack trees
helps bring a holistic approach to this process, especially when used in
face-to-face brainstorming sessions.
Before you move on to the next stage of the threat modeling and archi-
tectural risk assessment process and start assigning values to the risk, it