In this step, you break down your application to create a security profile for the application based on traditional areas of vulnerability. You also identify trust boundaries, data flow, entry points, and privileged code. The more you know about the mechanics of your application, the easier it is to uncover threats. Figure 3-4 shows the various targets for the decomposition process.
Figure 3-4. Targets for application decomposition
During this step, you perform the following tasks:
Identify trust boundaries.
Identify data flow.
Identify entry points.
Identify privileged code.
Document the security profile.