Step 2. Create an Architecture Overview

Previous page
Table of content
Next page

At this stage, the goal is to document the function of your application, its architecture and physical deployment configuration, and the technologies that form part of your solution. You should be looking for potential vulnerabilities in the design or implementation of the application.

During this step, you perform the following tasks :

  • Identify what the application does .

  • Create an architecture diagram .

  • Identify the technologies .

Identify What the Application Does

Identify what the application does and how it uses and accesses assets. Document use cases to help you and others understand how your application is supposed to be used. This also helps you work out how it can be misused. Use cases put application functionality in context.

Here are some sample use cases for a self-service, employee human resources application:

  • Employee views financial data.

  • Employee updates personal data.

  • Manager views employee details.

In the above cases you can look at the implications of the business rules being misused. For example, consider a user trying to modify personal details of another user . He or she should not be authorized to access those details according to the defined application requirements.

Create an Architecture Diagram

Create a high-level architecture diagram that describes the composition and structure of your application and its subsystems as well as its physical deployment characteristics, such as the diagram in Figure 3.3. Depending on the complexity of your system, you might need to create additional diagrams that focus on different areas, for example, a diagram to model the architecture of a middle- tier application server, or one to model the interaction with an external system.

click to expand
Figure 3.3: Sample application architecture diagram

Start by drawing a rough diagram that conveys the composition and structure of the application and its subsystems together with its deployment characteristics. Then, evolve the diagram by adding details about the trust boundaries, authentication, and authorization mechanisms as and when you discover them (usually during Step 3 when you decompose the application).

Identify the Technologies

Identify the distinct technologies that are used to implement your solution. This helps you focus on technology-specific threats later in the process. It also helps you determine the correct and most appropriate mitigation techniques. The technologies you are most likely to identify include ASP.NET, Web Services, Enterprise Services, Microsoft .NET Remoting, and ADO.NET. Also identify any unmanaged code that your application calls.

Document the technologies using a table similar to Table 3.1, below.

Table 3.1: Implementation Technologies

Technology/Platform

Implementation Details

Microsoft SQL Server on Microsoft Windows Advanced Server 2000

Includes logins, database users, user defined database roles, tables, stored procedures, views, constraints, and triggers.

Microsoft .NET Framework

Used for Forms authentication.

Secure Sockets Layer (SSL)

Used to encrypt HTTP traffic.



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Network Security Architectures
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
The Complete Cisco VPN Configuration Guide
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Programming Microsoft ASP.NET 3.5
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy