questions for system design reviews

May 12, 2019  

Often I am responsible for providing feedback on system designs prior to implementation. These reviews are usually focused on identifying or validating security properties of the proposed design.

When doing these reviews I find it easy to miss out on feedback opportunities when I get stuck down some rabbit hole. This is a short checklist to remind myself what questions I might want to answer during a review.

  • Is the problem clear? Does the design appear to solve this problem?

  • Is the rationale behind design decisions clear? Are design constraints enumerated?

  • Have alternate designs been explored? Is the rationale for why a specific design was selected clear?

  • Are desired security properties enumerated? Are the enumerated properties strong? Are any properties missing?

  • Does the design meet all desired security properties? Is it stated why they are met? Are those statements correct?

  • Does anything in the design feel superfluous? Can superfluous components be eliminated safely?