Often I am responsible for providing feedback on system designs prior to implementation. These reviews are usually focused on identifying or validating security properties of the proposed design.
When doing these reviews I find it easy to miss out on feedback opportunities when I get stuck down some rabbit hole. This is a short checklist to remind myself what questions I might want to answer during a review.
-
Is the problem clear? Does the design appear to solve this problem?
-
Is the rationale behind design decisions clear? Are design constraints enumerated?
-
Have alternate designs been explored? Is the rationale for why a specific design was selected clear?
-
Are desired security properties enumerated? Are the enumerated properties strong? Are any properties missing?
-
Does the design meet all desired security properties? Is it stated why they are met? Are those statements correct?
-
Does anything in the design feel superfluous? Can superfluous components be eliminated safely?