VSR's architectural security assessments identify both strengths and weaknesses of an application or product based on the design, implemented components, system deployment configuration, and security controls used to eliminate or mitigate threats in the architecture.
During application architecture security and design reviews the VSR team works with developers and architects to understand the components a given application is composed of. Separately, VSR works with business representatives to understand use cases and business impact associated with the application and risks identified during the assessment process allowing VSR to identify not only technical risks, but also to quantify business risk.
Decomposing the application into constituent elements such as: data sources, data flows, processes, application interfaces, users, roles, use cases and application components provides a mechanism to develop an application threat model and identify potential risks derived from application design and the choice of particular technologies. VSR will provide a comprehensive threat model of potential and observed risks in the application architecture and develop recommendations to eliminate or mitigate risks.
By identifying risks early in the software development lifecycle (SDLC), VSR's team of consultants aims to reduce the cost of improving the overall security posture of applications and system architectures by promoting security awareness with key business and technical stakeholders throughout the assessment process.
A typical architectural assessment includes reviews of the following:
- Security controls associated with network, system and application interfaces
- Secure data storage, retrieval and handling
- Encryption of data in-transit over untrusted networks
- User identification and access control
- Separation of roles and duties
- Enforcement of business logic
- Reliable audit record management
- Preserving application security across component trust boundaries
- Attack detection and response mechanisms
- Implementation compliance with architectural requirements
- Resistance to well-known attacks
VSR provides architectural guidance and recommendations based on industry best practice, industry specific regulatory requirements and prudent security policy.