I bought a new car last year, and being the way I am, I had a list of requirements and repeatedly ran sever cars through the requirements list until I narrowed it down to 5, of which I made my final decision. Things such as: it had to have 4 doors (for the princesses), it had to do 0-60 close to 5 seconds, it had to handle well, look good, and have lots of cool toys inside to play with. Some of theses requirements are easy to evaluate, while some are more subjective. Which brings me to the Information Security connection. In software development projects we are always asked to provide security requirements to the devleopment team that is either in-house or contracted.
"Make sure there are no vulnerabilities that can be exploited" is always one of my favorites, but it is a little vague, and they always seem to want something more concrete. Over the years, I have kept a running list of the items I usually include in those security requirements, so for those of you that are interested, I am including it here. The list is derived from things I have seen in projects and a lot of great external sources such as OWASP, Common Criteria, etc. This list is not meant to be an exhaustive or comprehensive list, but a list that can be used as a base to draw upon when completing these types of requests. you will still need to perform threat modeling, and in depth analysis of the project, and to check that the requirements are being met in the SDLC. If anyone has any updates, suggestions, or corrections, please let me know, and I will update the list.
The link below directs you to a Google Docs page with the doc.
Security Requirements
Thanks
No comments:
Post a Comment