Software Secure Architecture and Design
Paid on delivery
Architecture overview, how the system interaction with external systems puts it at risk.
Variation of the boundaries of the system vary from deployment
In your opinion, are there locations in the architecture where too many assets reside?
Analysis of your threat Model. More explanation about boundaries of the system.
The purpose of this deliverable is to come up with the architecture and design of your
Your deliverable must include:
● Architecture Overview. Describe the architecture of the system. Please answer the
o What are the subsystems? What does each subsystem do?
o Are there subsystems that are expressly security features? (e.g. encryption,
authentication) Describe these in more depth.
o Consider the cost of developer mistakes in terms of subsystems. For example
"if a developer makes a mistake in this subsystem, what happens?"
o Do some subsystems appear to be more susceptible to code-level
o Do you see security built into system at this architectural level? (e.g. distrustful
o How might compromising one subsystem affect the security (integrity,
reliability, etc.) of the others or of the system as a whole?
o How does the system interaction with external systems put it at risk?
o Consider how the architecture might change over time.
● Threat Model. Build a threat model diagram and conduct an analysis using the
Microsoft tool. Write up your analysis.
o What are the machine boundaries of the system? Does this vary from
deployment to deployment?
o What are the trust boundaries of the system? Are there any trust boundaries
more important than others?
Please make this diagram legible - I would rather you show the riskiest parts of the
threat model than enumerate every possibility. As a guide, threat models get pretty
confusing after about 12 primitives per diagram. If you feel your diagram must be more
complex, feel free to break it up into multiple diagrams.
● Assets to Threat Model Tracing Provide a mapping from your assets in deliverable 1
to the elements in your threat model. Discuss this mapping:
o Does the location in the architecture affect the p(exploit) of an asset? Why or
o Are there locations in the architecture where no assets reside? Did you miss
any assets there?
o In your opinion, are there locations in the architecture where too many assets
● Detailed Design show class diagrams of your detailed design. Please show and discuss
any secure design pattern, guideline, principle that you built in your design.
Project ID: #37501387