Security Requirements
How can one build security into a solution if there are no well-defined security requirements?
Design
A secure solution begins with a good design! Much of the foundation for assessing whether a solution is secure comes from the design phase, where important trade-offs between cost, benefit, and risk must be made.
The articles you find under the topic design on this page will focus on the design process. Although this process may include much more than we have listed, we cover the essentials such as thorough documentation of what is to be built, critical clarifications, and the need for context.
System diagrams and drawings
It’s important to have a good foundation when building quality solutions, and drawings and diagrams showing the infrastructure, data flow, networks, and access control are crucial elements. Without this information, it is difficult to validate if the implementation matches the intended design.
Segregation of Environments
Development projects use different environments for various purposes, such as testing deployments in a dedicated dev environment, exposing the test environment to product owners and other key personnel, and the production environment to end users. To avoid incidents in one environment affecting another, we must segregate them at a level that makes sense for the team and the context in which we work.
Authentication and Authorization
Authentication and authorization check respectively who you are and what you are allowed to do. These are important concepts that must be correctly implemented to ensure the security of a solution.
Network Concepts
Network is a fundamental component in everything we create, and it is important to have a basic understanding of how it works and how it can be exploited by others.
Threat Modeling
Threat modeling is an exercise aimed at identifying threats so that the risk of these can be identified and assessed against the overall security of the solution. From a threat model, mitigating measures can be identified and implemented to reduce risk.
Competence Building
Having the right competence is crucial for all teams, especially when it comes to security. The team must identify any gaps they have, so that measures such as training can be implemented to cover these gaps.