Design and Development (A4): SDL Activities and Best Practices 191
that the data is traced back to its source, and trust is assigned based on
the weakest link.
There are other lists of questions that should be considered. Some of
these are organized into sets of key areas based on the implementation
mistakes that result in the most common software vulnerabilities relevant
to the software product or solution being developed, also called hotspots.
These questions are typically developed by the software security architect
and revolve around the last top 10–20 CVE or OWASP “Top 10” lists
described earlier in the book.
A review for security issues unique to the architecture should also be
conducted as part of the manual security review process. This step is par-
ticularly important if the software product uses a custom security mecha-
nism or has features to mitigate known security threats. During this step,
the list of code review objectives is also examined for anything that has
not yet been reviewed. Here, too, a question-driven approach such as the
following list will be useful, as the final code review step to verify that
the security features and requirements that are unique to your software
architecture have been met.
• Does your architecture include a custom security implementation? A
custom security implementation is a great place to look for security
issues for these reasons:
o
It has already been recognized that a security problem exists,
which is why the custom security code was written in the first
place.
o
Unlike other areas of the product, a functional issue is very likely
to result in security vulnerability.
• Are there known threats that have been specifically mitigated? Code
that mitigates known threats needs to be carefully reviewed for prob-
lems that could be used to circumvent the mitigation.
• Are there unique roles in the application? The use of roles assumes that
there are some users with lower privileges than others. Make sure
that there are no problems in the code that could allow one role to
assume the privileges of another.
44
We would like to reiterate that it is not an either/or proposition
between different types of security testing. For a product to be secure, it
should go through all types of security testing—static analysis, dynamic
analysis, manual code review, penetration testing, and fuzzing. Often,