The Application Security Design Review provides the ability to understand risks that your application has as a result of existing weaknesses in the system’s design. You can perform a Design Review before the development begins and also after the system has been deployed.
Performing Design Review before the development begins gives you the ability to:
• Locate missing security mechanisms in the system.
• Examine whether the design of the security mechanisms is good enough.
• Examine the security requirements being applied
Design review answers the question whether the system is secured by design or will it require implementation of additional security controls and patches to improve its security.
Software developers with secure development skills and awareness can write secure code, but if the system is insecure by design, an attacker might exploit the vulnerabilities in the design.
Security by design prevents vulnerabilities at an early stage in the project.
It is a security best practice to perform a design review for a system before its implementation. It allows making the product secure by design and mitigating potential vulnerabilities and developments mistakes, hence improving the “time to market” metric of the project. For systems running in production, the design review provides awareness of system design security flaws and is a basis for decision making as well as the introduction of system-specific development guidelines to avoid the introduction of vulnerabilities into the system.
Design review is applicable for newly-developed systems, or systems which are already in production. During the design review we interview key personnel and system owners to better understand the architecture and design. We also inspect relevant documents such as system design and architecture diagrams.
After the initial assessment we analyze the collected data and provide a full report that contains security flaws in the design and architecture of the system and provides the client with recommendations for mitigating those findings.
Comsec’s design review includes the following topics during the assessment:
• Identification of security threats in the system
• Secure design and architecture of the system
• How does the system implement security mechanisms?
• Is the system implemented according to Secure Design Principles?
Comsec has performed reviews like this for many different clients in variety of industries such as finance, telecom, Hi-Tech and more.