A Security Practices Evaluation Framework

Apply Security Requirements

Consider and document security concerns prior to implementation of software features.

Description

Security requirements are documented statements about what the software should allow and ban with respect to security concerns, including confidentiality, integrity, and availability. When a developer (tester) works on a piece of code (test), they should be able to reference the security requirements of that code (test).

Practice Implementation Questions

  1. Are there organizational and/or project standards for documenting security requirements?
  2. Is a plan for how security will be addressed during development created before development begins?
  3. Does the software development team know whether compliance (regulatory, and organizational standards) requirements apply to its software?
  4. Are compliance requirements translated into the work items/user stories/functional specs the developers use to guide their day to day progress?
  5. Are user roles, behavior, and permissions specified before coding?
  6. Are the environments and corresponding trust boundaries under which the software will run considered during design/before coding?
  7. Are authentication and authorization implemented for the services and data the software provides?

Keywords

authentication, authorization, requirement, use case, scenario, specification, confidentiality, availability, integrity, non-repudiation, user role, regulations, contractual agreements, obligations, risk assessment, FFIEC, GLBA, OCC, PCI DSS, SOX, HIPAA.

OWASP Document security-relevant requirements