Security Architecture Review Vocabulary
Vocabulary Reference
| Term / Phrase | Meaning in context |
|---|---|
| "the design has a risk of" | Phrase used in architecture review meetings to introduce an identified security weakness without blaming individuals — focuses discussion on the design, not the designer. |
| Mitigating control | A security measure added to reduce the likelihood or impact of a specific identified risk — targeted at one or more risks raised during the review. |
| Residual risk | The risk that remains after all mitigating controls have been applied — what the organisation accepts or escalates for further treatment. |
| Security design review | A structured evaluation of a system design before implementation, assessing threats, controls, and compliance requirements while changes are still cheap. |
| "we need to walk through the threat model" | Common meeting phrase requesting a structured review of identified threats and their mitigations before a design is approved. |
| Design risk vs. implementation risk | Design risk: a fundamental flaw in how the system is architected. Implementation risk: a flaw that arises from how the design is coded — both are surfaced in different review types. |
1. In a design review meeting, the security architect says: "The design has a risk of session tokens being exposed in URL parameters, which would allow them to appear in server logs and browser history." Why is this phrasing preferred over "you have put tokens in URLs"?
2. The review identifies that the API does not validate JWT signatures. The team proposes adding server-side signature verification on every request. In architecture review language, the signature verification is called:
3. After adding rate limiting, MFA, and anomaly detection to address credential stuffing risks, the team acknowledges that a highly sophisticated targeted attack could still succeed. The risk that remains is called:
4. The architecture review board chair opens the meeting: "Before we approve the payment service design, we need to walk through the threat model to confirm each identified threat has a mapped control." What is the purpose of this step?
5. The review reveals that the chosen architecture of storing PII in a shared multi-tenant database is fundamentally insecure regardless of how carefully the code is written. The security lead says: "This isn't an implementation problem — it's a design problem." What distinction are they making?
Exercise complete!
out of 5 questions