Providing corporate leadership with visibility of the residual risks associated with application development across monolithic and microservice architectures.

Ray Morrison


Supervised by Amir Javed; Moderated by Yulia Cherdantseva

For large companies with a variety of product lines, corporate level visibility of the compliance of product development teams with secure application development principles is important to give stakeholders assurance that regulatory requirements are being met. To achieve this, companies put in place corporate policies for secure development lifecycles and set maximum risk acceptance levels. The challenge comes in ensuring that the policy is being followed, and the Devs are not being forced to find workarounds for an overly prescriptive or time consuming process. This is especially true if a policy has been written that is well suited to monolithic applications and a team is responsible for a product with a microservices architecture.

This project will look to identify the similarities and differences in requirements between monolithic and microservice applications when applying secure development principles, and design a dashboard which will allow large corporations with a range of product lines to create a global/corporate policy for leadership visibility of the reporting of adherence to mandated Secure Development Lifecycle requirements.

This framework/dashboard must be equally relevant, efficient, and usable for cloud-based microservices application architectures as it is for monolithic application product lines. Central corporate security/leadership teams must be able to set minimum frequencies for threat modelling, SAST, DAST, Open-Source scanning, etc. but the time required to complete evidentiary requirements for the engineering teams must be appropriate to the scale of the change being implemented in the release.

The end goal is a concept dashboard, with some functionality, which is suitable for engineering teams in product development teams and also provides corporate leadership with confidence that risks are being identified and appropriately mitigated, and that that any accepted residual risk is within both regulatory requirements and the business' risk appetite. Users in both of these groups will be surveyed after the concept dashboard has been created to determine its suitability.

Final Report (21/10/2022) [Zip Archive]

Publication Form