[AA1.1: 113] Perform security feature review.
Security-aware reviewers identify the security features in an application and its deployment configuration (authentication, access control, use of cryptography, etc.), then inspect the design and runtime parameters for problems that would cause these features to fail at their purpose or otherwise prove insufficient. For example, this kind of review would identify both a system that was subject to escalation of privilege attacks because of broken access control as well as a mobile application that incorrectly puts PII in local storage. In some cases, use of the firm’s secure-by-design components can streamline this process (see [SFD2.1 Leverage secure-by-design components and services]). Organizations often carry out security feature review with checklist-driven analysis and procedural threat modeling efforts. Many modern applications are no longer simply “3-tier” but instead involve components architected to interact across a variety of tiers: browser/endpoint, embedded, web, microservices, orchestration engines, deployment pipelines, third-party SaaS, and so on. Some of these environments might provide robust security feature sets, whereas others might have key capability gaps that require careful consideration, so organizations should not consider the applicability and correct use of security features in just one tier of the application but across all tiers that constitute the architecture and operational environment.