2.1 - Component mapping

Goal

The goal of component mapping is to create a comprehensive inventory of all components within the application, understand how data moves through these components, and identify the interactions between the application and external entities. This step is critical for identifying potential vulnerabilities and the paths an attacker might exploit.

How to Execute

  1. List All Application Components
    • Description: Begin by identifying and documenting every component that makes up the application. Components can include web servers, application servers, databases, front-end interfaces, middleware, and external libraries.
    • Tools/Techniques:
      • Use architecture diagrams to visualize component relationships.
      • Gather with engineers to perform a whiteboarding session
    • Output: A comprehensive list of all application components, both physical and logical.
  1. Visualize Data Flow
    • Description: Develop an understanding that provides a clear overview of how data is processed within the application, from entry to exit. The goal is to illustrate the general flow of data and identify key processing points and data storage locations, without necessarily delving into intricate technical details unless necessary. This will help in understanding the transitions between different security domains and the overall data handling architecture.
    • Tools/Techniques:
      • Focus on illustrating major components like user interfaces, servers, databases, and external systems, and how data flows between them.
    • Output: A set of DFDs/understanding that effectively represent the general pathways of data movement and key storage points within the application, providing sufficient detail to identify potential security vulnerabilities related to data handling.
  1. Map External Interactions and Dependencies
    • Description: Document how the application interacts with external systems. This includes APIs, third-party services, and any data exchanges with external entities.
    • Tools/Techniques:
      • Diagram inter-system data flows to understand external dependencies and data exchange mechanisms.
      • Review API documentation and third-party service agreements to understand the data and control flows.
    • Output: A detailed mapping of all external interactions, highlighting potential security boundaries and trust levels.
  1. Identify Security Controls
    • Description: As part of the component mapping, identify existing security controls for each component and data flow. This includes firewalls, encryption mechanisms, and access controls.
    • Tools/Techniques:
      • Review security configuration settings and policy documents and documentation of stacks/libraries that are being implemented.
      • Interview system administrators and security personnel to understand implemented controls.
    • Output: Documentation of existing security measures tied to specific components and data flows.

results matching ""

    No results matching ""