Essential Elements of Security DFDs

Security DFDs use standard notation enhanced with security-specific annotations. External entities represent actors outside your control—users, external systems, or attackers. These entities mark the edges of your security responsibility and often represent threat sources. Mark whether entities are trusted, untrusted, or semi-trusted, as this classification drives security requirements for interactions.

Processes represent components that transform, validate, or route data. In security DFDs, each process should indicate its privilege level, authentication requirements, and key security functions. A web server process might be annotated with "DMZ, authenticates users, validates input." These annotations help identify where security controls are implemented and where additional controls might be needed.

Data stores represent where information resides, whether temporarily in caches or permanently in databases. Security annotations for data stores include encryption status, access controls, sensitivity classification, and backup/retention policies. A customer database might be marked as "encrypted at rest, PII, access restricted to app service account, daily backups retained 30 days."

Data flows show information movement between elements. Security-relevant annotations include data classification, encryption in transit, authentication requirements, and validation performed. A flow might be labeled "customer PII, TLS 1.3, mutual authentication, input validated at receiver." These details reveal where data is vulnerable and what protections are in place.