Stage 3: Application Decomposition

Stage 3 breaks down the application into analyzable components, creating a detailed understanding of how the system works. This decomposition goes beyond architectural diagrams to examine the actual implementation, identifying entry points, trust boundaries, data stores, and security controls. The goal is understanding the application deeply enough to think like an attacker.

Identify all entry points where external data enters your system. These include obvious interfaces like web forms and API endpoints, but also less obvious entries like configuration files, environment variables, scheduled job inputs, and inter-process communications. Each entry point represents a potential attack vector that must be analyzed for security weaknesses.

Map data flows through your application with particular attention to trust boundaries. When does data transition from untrusted to trusted? Where are validation and sanitization performed? How does data move between different privilege levels? Understanding these flows reveals where security controls are needed and where they might be missing or inadequate.

Document existing security controls and their implementation details. This includes authentication mechanisms and session management, authorization checks and access controls, input validation and output encoding, encryption for data in transit and at rest, and logging and monitoring capabilities. Understanding current controls helps identify gaps and evaluate their effectiveness against potential threats.