Open in app

Sign in

Write

Sign in

Secure Design Review

Bugsbunnyy
2 min readOct 5, 2023

--

What is Secure Design Review ?

A Secure Design Review is a process in the secure SDLC workflow to assess a product/features, proposed design from a security perspective, based on threats or risks that may occur at the design level; they are often recommended when design discussions are in progress. This review generally take in reference how the code would be designed in a manner to cater the minimal security requirements as well as the system would be taking in care general authentication & authorisation issues , integrity issues etc.

What are the advantages of Secure Design Review ?

  • Less security issues in production phase
  • This will inculcate Secure Coding and Design mindset in developers
  • Strong protection capabilities introduced earlier in the product

Design Review Process

  • Design presentation: In this phase, the dev teams would provide a walkthrough of the design and explain the workflow to the security team
  • Security Evaluation: In this phase, security team will review the design and raise questions or concerns to the dev teams for clarifications
  • Concern Acknowledgement: In this phase, the dev team would be acknowledging the security issues and recommendations highlighted by the security team and provide with alternate secure design improvements
  • Design Approval: In this phase, the security team will evaluate the proposed secure design and validate the alignment of the same with the security team guidelines and recommendations.
  • Design Goes for development: This is the last phase where upon approval from security team, the design can go for development phase.

RACI (Responsibility , Accountability , Consulted , Informed ) Matrix for Design Review Flow

When Should you do the Design Review ?

a) A new application which is still in design phase and has not yet finalised for development.

b) A new vertical / Business Unit which is still in design phase and has not yet finalised for development eg

c) A change in already existing module which is still in design phase and has not yet finalised for development (more 30% code base or application workflow change)

Inputs to be provided to Security Team (all or any):

  • Design Document
  • Workflow Diagram
  • UML(Unified Model Language) Diagram
  • Product Requirement Document
Cyber Security Solutions
Cyber Security Services
Application Security

--

--

Bugsbunnyy
Bugsbunnyy

Written by Bugsbunnyy

8 Followers
2 Following

Security Researcher

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams