According to the secure software development lifecycle, we need to collect security requirements, analyze the threat model, and derive a security architecture in the architecture phase. Based upon the functional features and security policies required in the system, we need to identify the trusted computing base (TCB) for these items to enforce the security policies. Multiple design choices should be determined immediately. The general principle is to minimize the TCB as much as possible. Therefore, a thorough examination of the TCB is feasible later in the development phase and testing phase, such as code inspection and formal verification.