Security in the scope of Software Architecture

Security must be addressed in the development very early. Taken existing and well-defined security requirements for granted, the system and software architecture (an artifact called “Architecture Specification”) must consider and reflect security. I do favor an approach based on a set of essential building blocks in order to achieve the expected level of security. Parts of the building set are:

• Secure Components
• Secure Infrastructure and Services
• Secure Execution Environment
• Secure Network Environment (zones, compartments, sandboxes)
• End-to-End Security (supported by services like identity, authentication, authorization, auditing)
• Secure Operation (Logging, Import/Export, Backup/Restore) and Security Appliances
  

The approach addresses common security paradigms like “Layered Defense”, “Security in Depth” as well as general design objectives (modularity, consistency, extensibility, robustness). These building blocks are the foundation for a security architecture where security controls can be applied. Just to drill a little bit down. Secure components can be characterized as in the following:

Design and composition of components are essential steps to meet the requirement for a sustainable architecture. Components must be secured in accordance with recommended practices. Design and implementation must adhere to security principles, design patterns and coding rules. They must be configured according to the security policies of the organization. Remember the weakest link paradigm; one weak component could compromise the security of the whole architecture. Components that expose interfaces to the “outside world”, like user or communication interfaces are especially under attack or even the entry point for an intruder. This must be considered when specifying, designing and developing these entities. And, interfaces must be well-defined to support an integrative approach in order to achieve end-to-end security. The overall security requirements for the component design should be derived from general security objectives such confidentiality, integrity, availability, and accountability.

Software Architecture and Requirement Management…

… should be close friends that like to communicate and interact. Why? Software Architecture is the main and first interface between the requirements coming from different stakeholders and the development team. Based on the requirements, the “Architecture Specification” will be developed. Requirements are fetched from very different sources, depending on the domain. The subsequent bullets list just some of them, clustered as Functional (FR) and Non-Functional Requirements (NFR):
- Customers (FR)
- Existing Platforms, Mainline (FR), (NFR)
- General Market Requirements (NFR)
- Standards and Regulations (FR)
- Best Practice and Patterns (NFR)
- Quality Attributes, preferably prioritized, utility trees are recommended (NFR)
As a result, the “Architecture Specification” should reflect all requirements as well as their importance and emphasis in the project. Any mismatch (or even missing requirement) can be detected in the scope of a review or even a architecture test. This is good news because it avoids very expensive changes in later steps of the software development process.

Software Architecture (is alive and kicking)

I’m about going back a little bit to the roots, trying to write and blog more on software and system architecture. It might be necessary because it’s the foundation for all the distributed and web applications as well as for security architecture. It’s ez to get lost in all the details that come with these challenging topics. And, of course, it is my core business and field of expertise.
Software Architecture is the highest level in the area of software development (but it is not superficial or shallow, not at all). Software Architecture is the foundation for all the other more detailed development steps that will follow in the life cycle of a system. Because of its early position in this process, Software Architecture is an important success criterion. And because of this fact, it should be tested, at least by a very detailed review. In order to be testable, Software Architecture must be documented, preferable in a single document called the “Architecture Specification” based on well-defined views. Diagrams and figures are mandatory. The quality of the Software Architecture affects the quality of the whole system in creation predominantly. A well documented and widely teached Software Architecture is a perfect guidance for the development team. Project management needs it to make parallel development on components happen. It is highly recommended to communicate the Software Architecture to all other relevant stakeholders: Customers, 3rd Parties, Marketing, Operations & Services, and Test Teams. More is about to come …