Security should not be an afterthought. Fundamental design flaws sometimes cannot be solved after deployment. In addition, it might not be feasible to replace an already deployed system especially after a significant investment has been made to develop or acquire it. As a result, it is much more difficult and expensive to address security after deployment rather than during development.

Organizations should be designing for security. Fundamental security tasks should be executed starting from the very beginning of a project. The process should be driven by secure system development life cycle (SSDLC) principles, along with threat and maturity models.

In this context, hybrid design, architecture, and configuration reviews can be conducted across different life cycle phases (from design to development, from deployment to maintenance) to measure the security posture of different hardware and software platforms. These reviews include:

• Secure design review, conducted via documentation, interviews, and practical testing
• Configuration review of servers, workstations, network equipment, and mobile devices
• Attack surface analysis, conducted via threat modeling, practical testing, and dedicated metrics
• IAG assessment, aimed to evaluate the maturity of identity and access governance practices
• Password analysis, encompassing password dumping, cracking, and statistical analysis
• Network segregation testing, aimed to evaluate firewall ACLs and other network segmentation controls.