This is the first of a two part post, part two is available here. The following list is a set of activities that need to completed at least once to document an existing As-Is security architecture view for a business architecture and then need to be maintained over time through…
Category: Architecture
Security and Systems Engineering
In my experience when a business brings security people into their systems engineering process they are trying to solve a problem. Usually there has either been a painful security incident or some security testing pushed them over the edge and they feel exposed. Sometimes they are undertaking a big enough change or…
Security defect triage in delivery projects
The guys at Recx asked me to look at a draft of their recent blog post ‘The Business v Security Bugs – Risk Management of Software Security Vulnerabilities by ISVs where they describe some of the business constraints and influences on security defect triage for Independent Software Vendors and make the…
Zones of Trust
The key security design decision is the balance to be taken at every step of a system design between trust and inconvenience. For every system to system, subsystem to subsystem and component to component connection a decision must be made as to whether either side of the connection will trust…
User-Sourced Security Monitoring
One of the constant challenges I face delivering big systems is meeting the protective monitoring requirements. A lot of the requirement to spot technical events (low level network probing, back door installation, beaconing and command and control channels) can be covered with a bundle of vendor products integrated into a…