Introduction

Often when the author is speaking at conferences about the practice of security architecture, participants repeatedly ask, “How do I get started?” At the present time, there are few holistic works devoted to the art and the practice of system security assessment.*

Yet despite the paucity of materials, the practice of security assessment is growing rapidly. The information security industry has gone through a transformation from reactive approaches such as Intrusion Detection to proactive practices that are embedded into the Secure Development Lifecycle (SDL). Among the practices that are typically required is a security architecture assessment. Most Fortune 500 companies are performing some sort of an assessment, at least on critical and major systems.