Secure Application Design Review


Software design inherently has to strike a balance between security and usability. Do you understand the risks of your applications?

Applications benefit by having periodic reassessments of their design and architecture. Over time, small decisions and adjustments to an application can evolve into significant security gaps. Critical application components such as authentication and authorization, secrets management, and API security all warrant increased scrutiny to ensure sensitive information is secured both intransit and at rest. These functions are often some of the most complex to implement, and gaps can quickly lead to compromise.

We work with your development teams to review existing architecture diagrams, documentation, and configurations to find these issues before they make it into production. If you don’t have everything perfectly documented, that’s okay. We can work with you to get an understanding of the current state and gather additional details through technical means. We’ll perform threat modeling of the application and identify the robustness of the areas in which attackers are most likely to focus.

We use the following approaches to ensure your application design is secure:

  • Threat modeling and rapid risk assessments of your application and its associated infrastructure components, including ingress controllers, gateways, servers, pipelines, software repositories, containers, microservices, networking, cryptography, logging, public key infrastructure (PKI), and any orchestration systems, including Kubernetes.
  • Manual and automated reviews of the application source code and its architecture, documenting and suggesting changes as we see them.
  • Review of authentication and authorization framework selection and implementation, and additional security controls including content security policy (CSP) headers, cross-origin resource sharing (CORS) policy, cross-site scripting (XSS) mitigations, and injection protections.
  • Meet with team members to understand the critical functionality and existing concerns with the application design that require the most attention.


[solutions category='protect' limit=4] PROTECT – SECURITY ENGINEERING, BLUE TEAM​ – Secure Application Design Review