Security Architecture Study Plan
This page is updated based on jassics/security-study-plan/security-architecture-study-plan. Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.
Security Architecture is different from just "doing AppSec" or "doing pentesting" - you need to design secure systems end-to-end across applications, infrastructure, cloud, data, and identities. It's more about:
- Defining guardrails and reference architectures
- Driving secure design decisions early
- Aligning with frameworks and standards
- Working closely with AppSec, Cloud, Infrastructure, and GRC teams
It usually takes 6-12 months to be good at Security Architecture fundamentals - enough for an entry-level role or a lateral move into an architect-type role.
In Short
- Security Architecture is not only pentesting or only AppSec.
- Think of it as a combination of engineer, designer, and risk manager.
- Talking to engineering leaders, architects, product owners, and GRC teams should not scare you.
- Be comfortable with diagrams, data flows, and threat modeling.
- Understand both on-prem and cloud architectures (at least one major CSP).
- Be able to review designs and propose secure patterns with confidence.
ToC
- Security Architecture Fundamentals - 4-6 weeks
- Frameworks, Standards and Models - 3-4 weeks
- Designing Secure Architectures - 4-6 weeks
- Threat Modeling and Risk Management - 3-4 weeks
- Secure SDLC and Architecture Governance - 3-4 weeks
- Reference Architectures and Patterns - 3-4 weeks
- Books, Videos, Courses, Certifications
- Interview Questions
Security Architecture Fundamentals
Duration: 4-6 weeks
Goal: understand what security architecture means and where it fits in the overall security program.
Week 1-6: Core Architecture
- Understand the role of a Security Architect vs AppSec Engineer vs Cloud Security Engineer vs GRC
- Understand high-level components of modern systems: applications/microservices, APIs and integration layers, databases/data stores, identity and access management, network/perimeter controls, observability and logging
- Learn to read and create architecture diagrams (C4 model basics: context/container/component diagrams)
- Understand core security goals (CIA, authenticity, non-repudiation, privacy by design, least privilege, defense in depth)
- Map typical attack surfaces onto these diagrams
You'll use these fundamentals in almost every other section.
Frameworks, Standards and Models
Duration: 3-4 weeks
You don't need to memorize everything, but you should know what exists, when to use it, and where to look.
Week 7-10: Frameworks
- High-level frameworks - SABSA (business-driven security architecture), TOGAF and how security fits into enterprise architecture, NIST CSF at a high level
- Technical standards - NIST 800-53/800-171 basics, ISO 27001 controls at a high level, CIS Controls v8 (mapped to architecture capabilities)
- Application/cloud-focused standards - OWASP ASVS, OWASP SAMM, CSP-specific Well-Architected frameworks (AWS/Azure/GCP)
Understand how these frameworks translate into concrete architecture requirements (logging, segmentation, encryption, IAM, backups, resilience).
Designing Secure Architectures
Duration: 4-6 weeks
Focus on how you design secure solutions from the start.
Week 11-16: Design Patterns
- Network and segmentation - DMZs, zero trust network concepts, micro-segmentation, north-south vs east-west traffic
- Identity and access architecture - central IdP, SSO, SAML/OIDC, MFA, RBAC/ABAC, least privilege, just-in-time access
- Data security architecture - data classification, encryption in transit/at rest, key management (KMS/HSM basics), tokenization/masking/pseudonymization
- Application and API architecture - high-level secure web/API architectures (deep API details are in the API Security Study Plan)
- Resilience and availability - redundancy, failover, backups/restore, designing for DDoS and capacity
Pick one or two small systems (side project, home lab, or existing app at work) and draw the "as-is" and "to-be" secure architecture.
Threat Modeling and Risk Management
Duration: 3-4 weeks
Here you combine architecture diagrams with attacker thinking.
Week 17-20: Threat Modeling
- Read the Threat Modeling Study Plan and the site's own Threat Modeling guide
- Learn at least one methodology - STRIDE, or attack trees/kill-chain style
- Learn how to identify assets/trust boundaries/entry points, identify threats and abuses per component, prioritize with simple risk scoring (likelihood × impact), and propose architectural mitigations
Repeat for at least 3-4 different architectures: a simple 3-tier web app, public APIs with a mobile/SPA client, and an internal line-of-business application.
Secure SDLC and Architecture Governance
Duration: 3-4 weeks
Security architecture is only effective if it's built into how software is delivered.
Week 21-24: Governance
- Revisit the Secure SDLC Study Plan
- Understand where security architects engage in the SDLC - requirement/design reviews, architecture review boards/design review checklists, threat modeling as part of design, sign-off criteria and security non-functional requirements
- Learn common governance practices - reference architectures/reusable patterns, exception management and technical debt tracking, security standards/baselines/guardrails
Reference Architectures and Patterns
Duration: 3-4 weeks
Collect reference architectures for typical environments.
Week 25-28: Reference Architectures
- On-prem/hybrid - DMZ, VPN, identity, central logging, SIEM, bastion hosts
- Cloud - secure VPC/VNet design, internet-facing vs private services, centralized logging/monitoring/alerting
- Common patterns - zero trust access to internal apps, secure API gateway pattern, secure data pipeline/analytics architecture
Map each reference diagram to which controls are enforced where, and how attacks would flow through the system.
Books, Videos, Courses, Certifications
Books:
- Enterprise Security Architecture: A Business-Driven Approach
- Agile Application Security - good for seeing how architecture and AppSec work together
- Security Engineering by Ross Anderson - classic reference on designing secure systems
- The Tangled Web: A Guide to Securing Modern Web Applications
Videos: search for "Security Architecture" talks from OWASP, Black Hat, or RSA; cloud provider "Well-Architected" security deep-dives (AWS, Azure, GCP official channels)
Courses: "Enterprise Security Architecture" or "Security Architecture and Design" courses from trusted platforms; cloud security architecture courses from your preferred CSP
Certifications:
- CSSLP: Certified Secure Software Lifecycle Professional
- CCSP: Certified Cloud Security Professional
- Vendor-specific cloud security/architecture certifications (AWS, Azure, GCP)
Interview Questions
Use the Application Security interview questions and think about how you'd answer them from an architecture perspective (design choices, trade-offs, patterns), then extend with:
- How would you design a secure architecture for a public web application with APIs and mobile clients?
- How would you design logging and monitoring for a critical payments system?
- How would you approach threat modeling for a new microservices-based product?
Practice next: Application Security interview questions answered from an architecture lens, and jassics/security-study-plan for the latest updates to this plan.