Secure Architecture Review

Secure architecture design is a flexible process that has more than one right answer. The design process helps you make smart decisions now that will save time, money, and effort in the future. It’s much easier to design a system that uses security best practices and follow that design to implement a secure system than it is to try to bolt on security after the system is already designed. In addition, choosing the right technologies now can ensure that a security feature request later on doesn’t require a full overhaul of the entire platform.

Areas that we focus on during the secure architecture review process include:

• Secure Development Lifecycle
• Authentication
• Access Control
• Data Management
• Encryption
• Error Logging
• Component Communication
• Business Logic
• File Management
• Configuration and Hardening
• Architecture diagram review and connected services
• Verification of secure coding checklist, security plans and policy

We work hand in hand with relevant members of your team to ensure that high-level security goals are identified achieved.

Secure architecture reviews are performed on a variety of systems. Pensive Security offers both cloud and application security architecture reviews so that we can focus our efforts on what’s most important for you.

Cloud architecture security reviews provide a detailed analysis of your platform’s cloud infrastructure to uncover systemic security issues. We combine both automated and manual methodologies to identify misconfigurations in your cloud configuration and to identify design improvements which can reduce your security risk. We specialize in reviewing AWS, GCP, and Azure architecture.

Examples of security findings on an Amazon Web Services (AWS) cloud architecture review:

• Web Application Firewall (WAF) missing in front of your web application
• Enable Multi-factor authentication in IAM account
• Disable HTTP access to private S3 bucket in favor of HTTPS
• Enable AWS Shield for Cloudfront to prevent DDoS attacks

Application architecture reviews allow us to take an in-depth look at your web or mobile application architecture and suggest high-level security improvements. Modern web and mobile applications rely on sophisticated backends including APIs, databases, microservices, cloud object storage, and much more. Many vulnerabilities can be prevented by designing these integrated services to work together securely.

Examples of security findings on a mobile application architecture review:

• Remove private API keys stored in application bundle
• Mobile device communicates with web service URL which can be access directly and without authentication

When it comes to designing a secure architecture for your product, the earlier you can start the better. By choosing to invest in a secure architecture from the start, you are laying a solid framework that will save you money and time in the future.

Even if you already have a fully implemented and deployed system, its important to assess your system’s design regularly and ensure that you are on track to better security. Often, small adjustments to your system’s design can have a big impact on your overall security posture.

Secure architecture reviews provide the biggest impact when they are included as a part of a long term security plan. Combining secure architecture reviews with regular penetration testing and frequent vulnerability scanning help ensure that the gap between the architecture design and the implementation is as small as possible. By taking this two sided approach, the overall security risk of your platform is lowered, and your customer’s data is secure.