Architecture and Design Security Reviews
-
Build Security Review Process, integrate security review in SDLC
People: security team and product team security champions
Process: review workflow management by PMs, criticality criteria for review, approval process, exceptions
Artifact expectation: reviewers, reviewees, design review templates, review questions
Create an approval gate for development, deployment.
-
Technology: build technical standards and guidelines
Coding standards, Open Source Use Standards
API and Application Security standards,
Data Classification and Privacy standards, Cryptography Use Standards
AI use standards
-
Threat & Risk Management and Tracking
Building and tracking asset inventory, threat models,security controls lists?
A risk management framework: severity rating, vulnerability management policy, risk tracking
Remediation tracking and monitoring, artifacts storage, recording