The Application Security Architecture Guidelines is a walkthrough on the security concepts of application architecture. Designing and maintaining applications and systems based on security standards and best practices protects organizations from attack, reduces risk, and maintains compliance implicitly with virtually any standard, regulation, or law.
The objective of this document is to serve as a basic guideline for applications security design. This document provides a generic view, definitions and recommendations to be considered when stakeholders face by the first-time security design or review for a new or already existing application.
There are many resources that can be used to define an application security architecture and it is not the aim of this document to cover all of them. SDIP (“Software Development Improvement Program”) provides specific guidelines, training and resources that must be used as a reference for specific problems or decisions.
Application architecture design must adhere to Security Policies and Security Standards defined by the Company.
Document is applicable to all Company employees, third parties and functional units involved in the application design or acquisition process, typically owners, architects, developers and IS Security staff.
1.1 PROCEDURE OWNER
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
3. APPLICATION SECURITY ARCHITECTURE DEVELOPMENT
3.1 APPLICATION SECURITY REQUIREMENTS
3.2 ARCHITECTURE PATTERN
3.3 ARCHITECTURE MODEL
3.4 ARCHITECTURE DESCRIPTION
4. APPLICATION AND SOFTWARE SECURITY DEVELOPMENT LIFE CYCLE
4.1 APPLICATION SECURITY
4.2 SOFTWARE SECURITY
4.3 SOFTWARE SECURITY BEST PRACTICES
4.4 SECURITY TOOL INTEGRATION WITH DEVELOPMENT LIFE CYCLE
4.5 SETTING UP THE ENVIRONMENTS – DTAP METHODOLOGY
4.6 IN-HOUSE VS EXTERNALLY DEVELOPED SOFTWARE
5. APPLICATION SECURITY ANALYSIS
5.1 KEY SECURITY CONCEPTS AROUND USERS
5.2 SECURITY COMPONENTS
6. APPLICATION SECURITY DESIGN
6.1 SINGLE ACCESS POINT
6.4 SECURITY ACCESS LAYER
6.8 ADMINISTRATION LAYER
6.9 APPLICATION SECURITY DEVELOPMENT
6.10 SOURCE CODE AND BINARIES PROTECTION
6.11 THICK CLIENT APPLICATIONS
6.12 MOBILE APPLICATIONS
6.13 APPLICATION CONFIGURATION REQUIREMENTS
6.14 APPLICATION SECURITY RISK ASSESSMENT
6.15 APPLICATION SECURITY ASSURANCE
8. FINAL CONSIDERATIONS
8.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
8.2 DOCUMENT REVISION
This bundle contains all the products listed in the Program Development and Change Management section. Take advantage of the 25% OFF when buying the bundle!
The objective of the Cryptographic Controls Standard is to outline the minimum information security controls which must be applied when cryptographic services and solutions are utilized by the Company. Specifically, this Standard focuses on key management requirements, acceptable algorithms, appropriate key lengths, and raises pertinent regulatory considerations relating to the use of cryptography.
Adequate Capacity Management Policy must be defined and implemented at the Company, in order to be possible to correctly monitor the performance of the existing or future Company systems, to forecast their future evolution and identify possible bottlenecks.