Architecture Review Methodology#
The RABET-V Architecture Review is designed to evaluate the solution’s architectural support for the RABET-V security control families. This evaluation produces an architectural maturity score for each security control family and identifies the components that provide each security service. This score does not measure how well the product executes the security service (i.e., its capability level), just how mature the architecture is that supports the security service. The Security Services Capability Maturity level is a separate metric determined in the Security Claims Validation that indicates how well the product provides the security services.
The Architectural Maturity scores and component mappings are used to help assess the risk that changes to the product will negatively impact the security services. These are used in the Testing Rules Determination Activity to identify how to test the product changes. Higher architectural maturity scores, in conjunction with process maturity scores; may indicate the need for less testing required to validate that changes have not created increased risk in the product.
The Architecture Review activity is supplied with architecture diagrams, architecture descriptions, and interview sessions to confirm the architectural details and threat model of the product.
For more information about what is expected for the architecture diagrams and description, see the Provider Submission activity.
The Architecture Review will identify the product components at the system and software levels that expose functionality, and the security services that protect those functions.
This activity will also complete the system and software architectural viewpoints. The system level diagram identifies the larger components of the environment used to host and manage the software application(s). The software level diagrams identify the components a layer deeper into the software application(s).
Inputs#
RTP Submission#
The Technology Provider will supply architecture diagrams, architecture descriptions, and access to a functioning version of the solution. The Technology Provider process their source code through designated SBOM and software architecture analysis tools (currently Mend and Lattix). The architecture review will use the architecture tools and functioning solution to validate or fill-in missing pieces from the architecture diagrams and descriptions. For more information about what is expected for the architecture diagrams and description, see the Provider Submission activity.
Required Security Control Families#
The Ten Security Control Families provide guidance as to the needed controls to help protect the product and related data.
Security Architecture Rubric#
The rubric was created to help score the product architecture in the categories of Reliability, Manageability and Consistency, Maintainability (Modularity and Isolation), and Depth of control coverage (i.e., defense-in-depth)
Outputs#
Product Security Architecture Maturity Workbook#
These scores will be included in an architecture maturity workbook that will contain an executive summary tab, threat model results, and architecture scoring.
Product Security Architecture Maturity Scores#
Based on the maturity scoring rubric, the architecture will be assigned scores at various levels for each security control family which corresponds to how well it supports the mitigations within that family. These scores are calculated at five layers, starting at the most detailed level of security service implementation per component or interface and rolling up to result in a master architecture score.
List of issues or concerns#
Included in the workbook will be a list of threat modeling findings and any additional issues or concerns from the more detailed review of the software level architecture.
Software Architecture Report#
The Architecture Review will identify the components of the system and how the security services are used in relation to those components.
Tasks
Perform Threat Modeling
Threat modeling takes the provider submitted architectural documentation as input along with interview sessions with individuals that possess knowledge about the system and software architecture. The security control families provided by the application are enumerated using the threat modeling methodology.
Outputs:
SAMM Presentation
Security Service Listing
System Level Scores
Threat Model
Bill of Material Analysis
Analyze the third party libraries used by the product, including licenses, maintainers, and known vulnerabilities.
Outputs:
Reliability Scores
Software BOM
Perform Software Architecture Analysis
Analyze the software architecture using tools and interviews.
Inputs: Software BOM
Outputs: Software Level Scores
Perform Depth Scoring
Outputs: Depth Score
Build architectural model
Create an architectural model containing the components, trust boundaries, and interfaces.
Inputs:
Reliability Scores
Security Service
Software BOM
Software Level Scores
System Level Scores
Outputs:
Architecture Review Report
Point of Use Score
Generate Scoring Spreadsheets
Inputs:
Depth Score
Point of Use Score
Outputs: Consolidated Architecture Scores