OWASP Developer Guide


4. Design

Referring to the Secure Product Design Cheat Sheet, the purpose of secure architecture and design is to ensure that all products meet or exceed the security requirements laid down by the organization, focusing on the security linked to components and technologies used during the development of the application.

Secure Architecture Design looks at the selection and composition of components that form the foundation of the solution. Technology Management looks at the security of supporting technologies used during development, deployment and operations, such as development stacks and tooling, deployment tooling, and operating systems and tooling.

A secure design will help establish secure defaults, minimise the attack surface area and fail securely to well-defined and understood defaults. It will also consider and follow various principles, such as:

  • Least Privilege and Separation of Duties
  • Defense-in-Depth
  • Zero Trust
  • Security in the Open

A Secure Development Lifecycle (SDLC) helps to ensure that all security decisions made about the product being developed are explicit choices and result in the correct level of security for the product design. Various secure development lifecycles can be used and they generally include threat modeling in the design process.

Checklists and Cheat Sheets are an important tool during the design process; they provide an easy reference of knowledge and help avoid repeating design errors and mistakes.

Software application Design is one of the major business functions described in the Software Assurance Maturity Model (SAMM), and includes security practices:


4.1 Threat modeling
4.1.1 Threat modeling in practice
4.1.2 Pythonic Threat Modeling
4.1.3 Threat Dragon
4.1.4 Cornucopia
4.1.6 Threat Modeling toolkit
4.2 Web application checklist
4.2.1 Checklist: Define Security Requirements
4.2.2 Checklist: Leverage Security Frameworks and Libraries
4.2.3 Checklist: Secure Database Access
4.2.4 Checklist: Encode and Escape Data
4.2.5 Checklist: Validate All Inputs
4.2.6 Checklist: Implement Digital Identity
4.2.7 Checklist: Enforce Access Controls
4.2.8 Checklist: Protect Data Everywhere
4.2.9 Checklist: Implement Security Logging and Monitoring
4.2.10 Checklist: Handle all Errors and Exceptions
4.3 Mobile application checklist

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.