DFDs for Different System Types

Web applications typically follow user request flows from browser through multiple tiers to data stores and back. Security focus areas include the internet-to-DMZ boundary where initial validation occurs, authentication/session management flows, and database access patterns. Modern single-page applications add complexity with API-heavy designs and client-side state management requiring additional security consideration.

Mobile applications present unique DFD challenges with client-side code running on untrusted devices. The mobile app itself exists outside your trust boundary, requiring all security controls to be server-side. Offline capabilities create data synchronization flows that must handle potentially tampered data. Push notifications create server-to-client flows that could be exploited for information disclosure.

IoT systems create complex DFDs with numerous edge devices, communication protocols, and data aggregation points. Each device represents a potential attack point, communication channels may use various protocols with different security properties, and data aggregation creates high-value targets. Trust boundaries are especially critical in IoT DFDs because device compromise is often assumed possible.

Cloud-native applications leverage managed services that abstract infrastructure complexity but create new trust boundaries. DFDs must show boundaries between your application and cloud services, between different cloud accounts or subscriptions, and between regions for data residency. Shared responsibility models mean some security controls are cloud provider responsibilities while others remain yours.