The Application Security Design Review provides the ability to understand risks that your application has as a result of existing weaknesses in the system’s design. You can perform Design Review before the development begins and also after the system has been deployed.
When performing Design Review before the development begins it give you the ability to:
- Locate missing security mechanisms in the system.
- To examine whether the design of the security mechanisms is good enough.
- Examine that the security requirements being applied
Design review answers the question whether the system is secured by design or it will require implementation of additional security controls and patches to improve its security.
Software developers with secure development skills and awareness can write secure code, but if the system is insecure by its design, an attacker might exploit the vulnerabilities in the design.
Security by design prevents vulnerabilities at an early stage of the project.
It is a security best practice to perform a design review for a system before its implementation. It allows making the product secure by design and to mitigate potential vulnerabilities and developments mistakes, hence improving the “time to market” metric of the project. For systems running in production, the design review provides awareness of system design security flows and a basis for decision making and the introduction of system specific development guidelines to avoid the introduction of vulnerabilities into the system.
Design review is applicable for newly developed systems or systems which are already in production. During the design review we interview key personnel and system owners to better understand the architecture and design. We also inspect relevant documents such as system design and architecture diagrams.
After the initial assessment we analyze the collected data and provide a full report that contains security flaws in the design and the architecture of the system and provides the client with recommendations for mitigating those findings.
Comsec’s design review includes the following topics during the assessment:
• Identification of security threats in the system
• Secure design and architecture of the system
• How the system implements security mechanisms?
• Is the system implemented according to Secure Design Principles?
Comsec has performed reviews like this for many different clients in variety of industries such as Financial, Telecom, Hi-Tech and more.