Secure Software Architecture

With this skill, you design the global security architecture of software systems and clearly visualize it. This includes identifying main security components and layers (e.g., authentication, authorization, encryption, logging/monitoring, secure storage, secure communications, and secure APIs) and documenting how these interact with each other. The result is a security blueprint that guides implementation and ensures comprehensive protection.

The importance of this is that all team members gain insight into the security structure of the application before deeper implementation begins. This makes collaboration easier (everyone understands where certain security controls should be implemented) and security changes or additions can be implemented with minimal impact while maintaining defense-in-depth.

Starting Points

• NIST Secure Software Development Framework
• Microsoft Security Development Lifecycle
• OWASP Software Assurance Maturity Model

Key Points

• You divide the security architecture into logical security modules/components with clear responsibilities. You demonstrate understanding of defense-in-depth and separation of security concerns in the architecture.
• You create a schematic overview (such as a threat model, data flow diagram, or security control matrix) of the security architecture. This shows which security components exist and how security controls protect data flows between these components.
• You justify security architecture choices based on recognized security principles like least privilege, fail-secure, and complete mediation.
• You take into account common secure architecture patterns where relevant, such as security gateways, security interceptors, and security context objects.