SDL Process: Design

The design requirements activity contains a number of required actions including the creation of security and privacy design specifications, specification review, and specification of minimal cryptographic design requirements.

A thorough analysis will provide better awareness of overall product attack surface. With this information, design considerations should be put in place to reduce attack surface, including but not limited to disabling or restricting access to system services, applying the principle of least privilege, and employing layered defenses where possible.

Design specifications should describe how to architect software features securely. By considering security and privacy concerns early when you design features, you minimize the risk of schedule disruptions.

Attack surface reduction reduces security risk by giving attackers less opportunity to exploit a potential weak spot or vulnerability.

Traditional Software development: Design Phase
Agile development: One Time

Traditional Software development: Design Phase
Agile development: Bucket/Planning

• Basics of Secure Design, Development and Test
• Privacy in Software Development
• Privacy Guidelines for Developing Software Products and Services
• Firewall Rules and Requirements
• Cryptographic Agility
• Documenting and Evaluating the Security Guarantees of Your Apps

• SDL Developer Starter Kit - Secure Design Principles
• Fending Off Future Attacks by Reducing Attack Surface
• Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users
• Webcast: Fending Off Attacks by Reducing an Application's Attack Surface (Level 300)