Complete Guide
Intermediate
Refreshed: March 2026

Secure Architecture & Design

After completing this section, you'll be able to threat-model a new system in 30 minutes, review an architecture for critical control gaps, write Zero Trust policies that map to real platforms, and ship reference architectures with production-grade IaC. Whether you're designing systems, reviewing them, or securing the pipeline that delivers them — this is your operational playbook.

Why This Section Matters Now

Architecture teams are being asked to design for cloud-native delivery, identity-centric access, software supply chain risk, and policy-driven infrastructure at the same time. Use this section to turn high-level security standards into concrete review steps, implementation patterns, and deployment guardrails.

Framework Updates That Matter

NIST CSF 2.0 added the Govern function in February 2024, CIS Controls v8.1 remains a strong prioritization baseline, and OWASP SAMM 2.0 plus NIST SP 800-207 help bridge software assurance and Zero Trust design. This guide treats those as current inputs, not legacy checklists.

Architecture Review Tiers

Not every system needs the same depth of review. Use these tiers to calibrate how much of this guide to apply. The further right you go, the more controls, review rigor, and framework alignment you need.

TIER 1 Internet-Facing API

Public attack surface, standard auth, managed database. Most startups and new services start here.

  • • Sections 01–03: Threat model + risk analysis + design patterns
  • • Section 09: CI/CD security gates
  • • Section 12: Three-tier reference architecture
TIER 2 Multi-Tenant SaaS Platform

Tenancy isolation, shared infrastructure, API marketplace. Control failures affect multiple customers.

  • • All of Tier 1, plus:
  • • Sections 04–06: Defense in depth + Secure by Design + Zero Trust
  • • Section 07–08: Cloud-native + API/microservices patterns
  • • Section 12: Hub-spoke + microservices reference architectures
TIER 3 Regulated / Critical Infrastructure

PCI DSS, SOX, HIPAA, or critical infrastructure. Audit trails, formal risk acceptance, breach notification requirements.

  • • All of Tier 2, plus:
  • • Section 10: Case study analysis (breach post-mortems)
  • • Section 11: Full framework mapping (NIST, ISO, CIS)
  • • Section 05: LINDDUN privacy threat modeling
  • • Formal ADRs and control evidence for auditors

What You Will Learn

Threat modeling with STRIDE, PASTA, LINDDUN, attack trees, and threat modeling as code
Architecture review workflows that map design choices to ranked risks and engineering actions
Secure patterns for identity, authorization, validation, secrets, segmentation, and data protection
Zero Trust, cloud-native, and microservices design choices that hold up in production
Practical SDLC controls using Semgrep, Checkov, tfsec, pre-commit hooks, and CI security gates
Reference architectures and framework mappings you can adapt for reviews, roadmaps, and design decisions

Prerequisites

Architecture Foundations

  • • Networking basics: TCP/IP, DNS, TLS, HTTP/S
  • • Client-server and API architecture
  • • Identity and access fundamentals
  • • Basic data flow and trust boundary thinking

Builder Workflow

  • • Familiarity with one cloud provider
  • • Git and pull request workflows
  • • Basic CI/CD pipeline concepts
  • • Helpful: some exposure to Terraform or YAML

Recommended Context

  • • Complete the Web Pentest or Network Security guide first
  • • Keep an AWS, Azure, or GCP account handy for reference architecture labs
  • • Be ready to think like both builder and reviewer
  • • Treat this section as design review training, not theory only

How To Use This Section

Architects

Start with sections 01-06 to build design instincts, then use 11-12 to align frameworks, control roadmaps, and target architectures.

Pentesters

Focus on sections 01-02, 06, and 10 to understand how defenders reason about trust boundaries, identity, and control failure chains.

DevSecOps

Prioritize sections 07-09 and 12 for cloud, IaC, CI/CD, and platform controls you can wire directly into engineering workflows.

Start with Threat Modeling Jump to Reference Architectures

Methodology Overview

SDLC FlowSecurity Activities

Quick Start: Review an Internet-Facing API in 10 Minutes

If you want a practical entry point, use this mini review flow before diving into the full curriculum. It mirrors how security architects and reviewers quickly sanity-check an API design before the first sprint hardens into architecture debt.

api-architecture-review.txt
text 
system: Public REST API with SPA frontend, API gateway, app tier, and managed database

1. Draw the trust boundaries
   - Browser / mobile client
   - Edge / WAF / CDN
   - API gateway
   - Application services
   - Database / secrets / admin plane

2. Ask the first threat-model questions
   - Where does identity originate and how is it verified?
   - Which requests cross privilege or tenancy boundaries?
   - What happens if a token, service credential, or webhook secret is stolen?
   - Which tier can reach the database and admin interfaces?

3. Check baseline controls
   - Strong authentication and token validation at the edge
   - Authorization enforced in the service, not only at the gateway
   - Input validation, output encoding, and rate limiting
   - Secrets in a vault, not in CI variables or app config files
   - Logging and alerting on auth failures, admin actions, and anomalous access

4. Map to current frameworks
   - NIST CSF 2.0: Govern, Identify, Protect, Detect
   - OWASP SAMM: Design and Verification
   - Zero Trust: continuous verification and least privilege

5. Decide what to read next in this guide
   - Threats unclear? Go to 01 Threat Modeling
   - Trust boundaries unclear? Go to 02 Risk Analysis
   - Controls unclear? Go to 03, 04, and 06
   - Delivery guardrails unclear? Go to 09 and 12
system: Public REST API with SPA frontend, API gateway, app tier, and managed database

1. Draw the trust boundaries
   - Browser / mobile client
   - Edge / WAF / CDN
   - API gateway
   - Application services
   - Database / secrets / admin plane

2. Ask the first threat-model questions
   - Where does identity originate and how is it verified?
   - Which requests cross privilege or tenancy boundaries?
   - What happens if a token, service credential, or webhook secret is stolen?
   - Which tier can reach the database and admin interfaces?

3. Check baseline controls
   - Strong authentication and token validation at the edge
   - Authorization enforced in the service, not only at the gateway
   - Input validation, output encoding, and rate limiting
   - Secrets in a vault, not in CI variables or app config files
   - Logging and alerting on auth failures, admin actions, and anomalous access

4. Map to current frameworks
   - NIST CSF 2.0: Govern, Identify, Protect, Detect
   - OWASP SAMM: Design and Verification
   - Zero Trust: continuous verification and least privilege

5. Decide what to read next in this guide
   - Threats unclear? Go to 01 Threat Modeling
   - Trust boundaries unclear? Go to 02 Risk Analysis
   - Controls unclear? Go to 03, 04, and 06
   - Delivery guardrails unclear? Go to 09 and 12

Architecture Security Stack (2026)

Tool / Framework Category Best For Integration
Microsoft Threat Modeling Tool Threat Modeling Fast STRIDE-based data flow reviews Desktop diagrams, DFDs, review workshops
OWASP Threat Dragon Threat Modeling Cross-platform collaborative threat diagrams Open source, diagram editor, team sharing
STRIDE Modeler Built-In Tool Quick interactive threat modeling inside this site Hackers Manifest tool workflow
Threagile Threat Modeling as Code YAML-based threat modeling in CI/CD CLI, reports, generated diagrams
IriusRisk Architecture Review Enterprise-scale automated threat modeling Questionnaires, Jira, review workflows
Semgrep Application Security Secure coding and architectural guardrails in pipelines SAST, CI/CD, policy checks
Checkov / tfsec / KICS IaC Security Terraform and cloud misconfiguration review Pre-commit, pull requests, CI gates
Prowler / Falco Cloud and Runtime Cloud posture and runtime detection coverage Azure posture, container runtime monitoring

Why These Tools Show Up In This Section

The deeper pages already cover threat modeling tools, framework mapping, CI security gates, and Terraform-based reference architectures. This landing page now surfaces that implementation layer early so you know the section is meant to help you build and review systems, not just memorize principles.

Guide Sections

01

Threat Modeling

Start with STRIDE, PASTA, LINDDUN, attack trees, and threat modeling as code before teams commit to architecture choices.

STRIDE • PASTA • LINDDUN • Threagile • DFDs
02

Architecture Risk Analysis

Turn diagrams and trust boundaries into ranked risks, abuse cases, and design review findings that engineering teams can act on.

Attack surface • Trust boundaries • Risk ranking
03

Security Design Patterns

Apply proven patterns for authentication, authorization, validation, secrets handling, and data protection across modern systems.

AuthN/AuthZ • Validation • Data protection • Anti-patterns
04

Defense in Depth

Layer identity, network, workload, and monitoring controls so one failure does not become a full-system compromise.

Segmentation • Least privilege • Detection • Resilience
05

Secure by Design Principles

Use fail-safe defaults, simplicity, privacy by design, and secure UX principles to shape systems before code and controls drift apart.

Fail safe • Economy of mechanism • Privacy by design
06

Zero Trust Architecture

Design for strong identity, device and workload posture, continuous verification, and segmented access instead of network trust.

Identity-centric • Micro-segmentation • Continuous verification
07

Cloud-Native Security

Secure containers, Kubernetes, serverless, and multi-account cloud environments with policy, posture management, and runtime controls.

Kubernetes • CSPM • Runtime detection • IAM
08

API & Microservices Architecture

Review gateway patterns, service-to-service auth, rate limiting, circuit breakers, and tenancy boundaries for distributed systems.

API gateway • mTLS • Rate limiting • Multi-tenancy
09

Secure SDLC Integration

Push threat modeling, IaC scanning, SAST, secrets detection, and design review gates into delivery workflows that teams actually use.

Semgrep • Checkov • tfsec • Pre-commit • CI/CD gates
10

Real-World Case Studies

Study failures like Equifax, Capital One, SolarWinds, Log4Shell, MOVEit, and Storm-0558 to see which architecture controls broke first.

Breach anatomy • Control gaps • Review templates
11

Security Frameworks

Map NIST CSF 2.0, ISO 27001/27002, CIS Controls v8.1, NIST 800-53, and OWASP SAMM into a usable architecture and governance program.

NIST CSF 2.0 • CIS v8.1 • OWASP SAMM • Cross-mapping
12

Reference Architectures

Use production-oriented Terraform and YAML examples for three-tier apps, hub-spoke networking, Zero Trust, service mesh, and CI/CD.

Terraform • YAML • Three-tier • Hub-spoke • CI/CD

Quick Reference

Core Principles

  • • Threat model before teams commit to implementation
  • • Design for blast-radius reduction, not perfect prevention
  • • Enforce identity, authorization, and segmentation close to the asset
  • • Make insecure paths hard to build and easy to detect

Current Standards

  • NIST CSF 2.0 - current risk-management baseline with Govern
  • CIS Controls v8.1 - prioritized defensive actions
  • • OWASP ASVS 4.x - application security verification baseline
  • • NIST SP 800-207 - Zero Trust architecture reference

Ready to Begin?

Start with Threat Modeling to build the habit that anchors the rest of the section, then move through risk analysis, patterns, Zero Trust, cloud-native design, and delivery controls. If you already have a platform in flight, jump to the reference architectures and work backward into the framework and design chapters.

Start the Guide

Related Guides & Resources

Azure Security Baselines

MCSB-based security patterns for 100+ Azure services

Source Code Review

SAST and secure code analysis

Cloud Security

AWS, Azure, GCP, and containers

API Security

REST, GraphQL, and gRPC testing

Remediation Guidance

How to fix common vulnerabilities

CI/CD Security

GitHub Actions, Jenkins, and supply chain

Threat & Risk Assessment

Quantify security risk, identify threat actors, and build risk registers