SaFi Bank Space : Security Engineering

 Overview

The engineering process designs the security controls needed to handle the gaps, threats, or risks identified from security assessment. The goal of the engineering is to provide secure design in line with the business requirements. The design contains security controls needed to be placed in order to make the implementation secure and maintain the security posture of the application and also the whole architecture.

Design

The core of the process is looking for best solution to address the gap without sacrificing business requirement. To organize the design process, it is segmented into sub-processes.

1. Set limitations. The goal is to know your limitation on your design. The aim is to set the expectations incorporating the business requirements to clear what you can and cannot change with the current design and architecture.

2. Cross reference to OWASP ASVS V1 Architecture, Design and Threat Modeling. The goal is to have a checklist based controls while looking at the business requirement. The aim is to prevent introducing further gaps due to missed controls.

3. List the identified security controls. The goal is to have a collection of suggested secure implementations including their design how to implement it. The aim is to provide the development team a list of item to consider in their deliverables in their sprint to project capacity scheduling.

4. Prioritize the controls. The goal is to have a list for the business to strategize based on the requirement. The aim is to provide guidance to business what is mandatory and must have, what can be done in longer timeframe, and what is nice to have right now. Consider the OWASP Top 10 for the prioritization and sort the list according to priority.

Expected output: List of controls needed to implement sorted by prioritization.

Gap	Security Controls	Security Requirement	Priority	Action Ticket
Insecure VPN certificates	ASVS 1.6.4	Replace VPN certificates with secure and signed by a trusted CA	1	App-123
…	…	…	…	…