In practice, the security design review can be considered as low-level threat modeling. The following are suggested during design review:
- Security compliance checklist
- Security requirement checklist (OWASP ASVS)
- Top 10 security design issues
- Security issues in the previous release
- Customer or marketing feedback on security issues
When we are doing a design review for the top security issues, we may also refer to industry practices such as OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Software Errors. Meanwhile, the project team may also build its own top security issue based on historical records or customer feedback:
- OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
- CWE/SANS Top 25 Most Dangerous ...