Security Design Methodologies

This concerns the structured application of recognized security methodologies to develop secure systems. Examples include designing 'threat models', conducting 'security risk assessments', and defining 'security control frameworks'. Such tools help you define and communicate all aspects of security architecture, threat mitigation, and security controls within the organization or team.

Starting Points

• STRIDE Threat Modeling
• NIST Risk Management Framework
• OWASP Application Security Verification Standard

Key Points

• You clearly document the security design so that the threats, controls, and implementation requirements are clear to everyone.
• Visualize the security design using suitable techniques such as attack trees, data flow diagrams with trust boundaries, or security control matrices.
• You work iteratively, adapting the security design as the threat landscape evolves.
• You validate your security design through techniques like peer review, penetration testing, or formal verification.
• You incorporate security assessment findings into the security design documentation.