Security Architecture

A structured process of identifying potential security threats, attack vectors, and vulnerabilities in a system design — before implementation. Output: a prioritised list of mitigations.

"We run a threat modeling session for every new service before sprint 1. The output is a list of threats ordered by severity — high-severity items become acceptance criteria."

A threat classification mnemonic: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Used to systematically identify threats against system components.

"We walked the data flow diagram using STRIDE. For the payment API: Spoofing (can caller forge identity?) → require mutual TLS. Elevation of Privilege (can a user call admin endpoints?) → enforce RBAC."

Process for Attack Simulation and Threat Analysis — a risk-centric threat modeling framework with 7 stages from business objectives through attack simulation to risk/countermeasure alignment. More business-context-aware than STRIDE.

"We use PASTA for compliance-critical systems — it traces threats back to business impact, which makes the risk acceptance conversation with the CISO much clearer."

A hierarchical diagram representing how an attacker could achieve a goal. The root node is the attacker's objective; leaf nodes are specific attack actions. Used to reason about complex multi-step attack paths.

"The attack tree for 'exfiltrate customer data' has 3 branches: compromise admin credentials, exploit a SQL injection, or abuse an internal service with over-permissive IAM. Each leaf has a probability and cost estimate."

A boundary in a system architecture where the level of trust changes — for example, between the internet and a DMZ, or between a frontend service and a backend API. Data crossing a trust boundary requires validation and authentication.

"In the data flow diagram, every arrow crossing a trust boundary is a security control point. The trust boundary between the browser and the API gateway is enforced with OAuth 2.0 and input validation."

A network or logical segment where components share an equivalent level of trust and interact without additional authentication. Typically defined by network segmentation (VPC, subnet, firewall rules).

"All backend microservices are in the same trust zone — they communicate without mutual authentication. The API gateway is the enforced entry point from the lower-trust external zone."

The sum of all the different points (the surface) where an attacker can try to enter or extract data from an environment. Includes every exposed API endpoint, UI form, port, and protocol.

"We conducted an attack surface analysis — 40 public endpoints, 3 open ports, 2 authentication methods. Reducing the attack surface was the first priority: we removed 12 endpoints that had no active consumers."

The practice of minimising the attack surface by removing unnecessary endpoints, disabling unused features, closing unused ports, and applying least-privilege principles — reducing the number of vectors an attacker can exploit.

"Attack surface reduction quick wins: disable introspection on the GraphQL API in production, remove the /admin endpoint from the public-facing service, close ports 8080 and 9090 on the public subnet."

A security strategy applying multiple independent layers of controls, so that if one layer is bypassed, subsequent layers continue to protect. Assumes any single control can fail.

"Defense-in-depth for the data layer: encryption at rest + column-level access control + query logging + network segmentation + DLP rules. Bypassing one layer doesn't expose the data."

A safeguard or countermeasure applied to reduce security risk. Classified as preventive (stops attacks), detective (identifies attacks), or corrective (reduces damage after an attack).

"We categorise our controls: WAF is preventive (blocks SQL injection). SIEM alerting is detective (identifies anomalous access patterns). Automated account lockout is corrective (limits damage from credential stuffing)."

A security control that reduces the risk of a missing or insufficient primary control. Applied when the primary control is not feasible — often cited in compliance contexts when a standard requirement cannot be met directly.

"We can't patch the legacy system to TLS 1.3 — it's out of support. Compensating control: network-level mutual TLS termination at the gateway, plus IP allowlisting, to mitigate the risk of the weaker stack."

A security model based on the principle "never trust, always verify." Every request — regardless of network origin — is authenticated, authorised, and encrypted. Eliminates implicit trust from network location inside the perimeter.

"Our zero trust implementation: every inter-service call requires a valid service account token, even within the same VPC. There's no 'trusted internal network' — every caller is authenticated."

Dividing a network into very fine-grained segments with strict, policy-based access controls between them. A key zero trust enablement technique — limiting lateral movement if one segment is compromised.

"Microsegmentation means that if an attacker compromises the web tier, they cannot reach the database tier — those network paths are explicitly denied, not just unadvertised."

Every user, service, or process should have only the minimum permissions necessary to perform its function. Reducing privilege scope limits the blast radius of a compromised account or vulnerability.

"The lambda function only has read permissions on the specific S3 bucket it needs — not s3:* on all buckets. Least privilege: if this function is compromised, the attacker can only read that one bucket."

A formal decision to acknowledge a known risk and take no further mitigation action — typically because the cost of mitigation exceeds the expected impact. Must be documented and signed off by an appropriate owner.

"The risk acceptance for the legacy auth endpoint has been signed by the CISO. We've documented: residual risk = medium, mitigation cost = $180K rearchitecture, business justification = system is end-of-life in 8 months."