Step 1: Identification of trust boundaries
A
trust boundary is the point at which the trust level or privilege changes.
Like
Trust boundaries exist between the external (Internet) and the DMZ and between
the DMZ
And the
internal (Intranet) zones.
Step 2: Identification of Data/Information Entry Points
Entry
points are those points from where user inputs comes in. Each entry point can
be a potential threat source and so must be explicitly identified and
safeguarded.
Entry
points in a Web application could include any page that takes in user input. Like
log on page etc.
Step 3: Identification of Data/Information Exit Points
Exit
points are those points that display information from within the system. It also
includes processes that take data out of the system.
Exit
points can be the source of information leakage and need to be secured. Like
Search Result page, backup process etc.
Step 4: Identification of Data/Information Flows
Data
flow diagram or sequence diagram help to understand how the application accept,
process, handle and transfer the data flowing across the different trust
boundaries
Step 5: Identification of Privileged code/passes
Code
or passes that allows elevation of privilege or the execution of privileged
operations is identified. All administrator functions are identified
Step 6: Documenting the security Profile of Application
This
involves identification of the design and implementation mechanisms that impact
the security of the application. The Security profile which we should consider
are : Confidentiality, Integrity, Availability, Authentication, Authorization
etc. against Design/implementation consideration
