(tag words) Description Security features 5 Authentication / Authorization Adding or changing an authentication/authorization method or mechanism (login, roles, permissions, privilegies, ACL, certificates, SSL, LDAP) Shifting the trust relationships between any components or actors in the system (change of user roles, change of data access permissions, etc.) 1 Auditing, monitoring and alerting Adding or changing application monitoring, notifications (Skype, HipChat), gathering analytics (google analytics, xiti), auditing and compliance requirements (PCI, GDPR, HIPPA) 5 Cryptography Adding or changing cryptographic functionality: hashing algorithms, salt, encryption/decryption algorithms, SSL/TLS configuration, key management, etc. Attack surface 2 New API New exposed or consumed web-services, 3rd party integration, SOAP, REST 1 New pages New controls (forms, inputs, buttons), new import/export, parsing and handling input data Threat models 1 New 3rd party dependency E.g. new jar, framework (OWASP dependency check) 3 New data storage Database, repository, cache, file system, configuration management system, new logging mechanism, registry Any logical data storage, data at rest 3 New data flow HTTP, HTTPS/TLS/SSL, RPC/DCOM, JMS, RMI, SMB, UDP, IOCTL, IPSec, named pipe, Binary, ALPC Any logical data flow, data in transit across subsystems Assets 5 Handling sensitive data Credentials, user personal data (PII), credit card data (PCI) 2 Handling new type of data We don't receive such data previously, new statistics, new business entities