Applying the SDL Framework to the Real World 295
of threat agents and their attack methods whose targets are similar to
the system under consideration. In these strategy sessions, the security
architect should also have a good feel for emerging trends in threats and
attack methods. What new threat agents are just beginning to become
active? Of these new threats, what will be their likely attack methods? As
the threat agents’ organization and sophistication grow, how might they
expand attack patterns? With these sorts of questions, the architecture can
be designed not only for the intended use cases of the present, but also
for the foreseeable future. Typically, enterprise-level architects consider
similar questions regarding the growth of the organization, growth in user
populations, growth in data, and expansion of capabilities. The same sort
of consideration should be given to security needs of the future just as
much as for the present.
Out of any architecture assessment will come requirements that the
architecture must meet. Typically, early requirements are of a more gen-
eral nature: Users will be authenticated, systems will need to be hardened,
Payment Card Industry (PCI) certification (at the appropriate level) will
need to be met, and so forth. The details will then be baked into the
emerging architecture.
As architecting the system proceeds in earnest, the security require-
ments will begin to take on specificity. A particular authentication sys-
tem will be chosen: For a major server farm, for instance, a system may
be chosen which can handle millions of authentications per minute, can
handle millions of user identities, can interface with the appropriate run-
time and execution environments, and so forth. Or, if the authentication
system will be very modest, perhaps there is an integral library, or another
module which will suffice. Using the former implies tremendous growth
and heavy user traffic, perhaps even heterogeneous systems. When using
the latter authentication system, the smaller library may preclude major
server farm growth. In considering the intended use (say, an authentica-
tion system for a customer-deployable appliance), a relatively constrained
mechanism may be warranted. In any event, a particular choice will be
made based on the requirements of the system in the intended deploy-
ment and with respect to the expected growth. The architecture will grow
more specific and particular. The output of the security architecture pro-
cess is specific components providing particular services and communi-
cating using known protocols.
For systems within an existing architecture, any change to that archi-
tecture may have security implications, so the security of each architectural