P.2.1 Security design review

Control Details

Objective

Decrease the number of design flaws and security vulnerabilities introduced during the architecture and design phases.

Definition

Enumerate possible threat vectors. Conduct threat modeling and attack surface analysis to identify weaknesses in the software architecture and design such that the system is resistant to attack. Identify missing security features and requirements. Identify unused components in the design. Address the identified security risks through re-design, or develop and track a mitigation plan for exceptions.

Assessment Questions

1. For all critical software components and external services that your team operates and owns, has a qualified person not involved in the design reviewed the design and conducted an attack surface analysis and threat model?
2. What kind of approaches are you using to narrow attack vectors?
3. What kind of tool or methodology (like STRIDE) do you use to structure your threat modeling?
4. Do you perform analysis such that only required modules are included in the product and unused modules are uninstalled and removed, decreasing the attack surface?
5. How are unused modules identified - such as 'debloating' a product for unused components and containers?

Reference sources

1. EO 4e(iv) 4e(v) 4e(ix)
2. OWASP-SCVS 3.20 3.21
3. SSDF PW.1.1 PW.2.1
4. SSDF-AI PW.1.1
5. BSIMM AA1.1 AA1.2 AA2.1 AA3.1
6. Self-attestation 4
7. SAMM D-TA-2-A D-TA-1-B V-AA-1-B V-AA-2-A V-RT-2-A V-RT-2-B
8. 800-161 SA-17
9. OSPS OSPS-SA-03