[WEB SECURITY] Security in requirment gathering phase
saleem_amer at hotmail.com
Mon May 31 02:47:26 EDT 2010
Dear Dave - Yes, it's the right approach to identify all security concerns upfront as much as possible and plan how to mitigate them using threat modeling approach.
I would recomment you to use CLASP project methodology proposed by OWASP. The url is www.owasp.org
Date: Sun, 30 May 2010 20:39:22 +0530
From: daveyrr at gmail.com
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Security in requirment gathering phase
I want to implement secure SDLC for applications developed in my organization.
For requirement gathering phase ,I plan to make a exhaustive list of application security controls for various caegories like Authentication , Session Mangement , Auditing and Logging etc and ask my application team to accept /reject them based on requirement , with suitable comments.Which can be furhter used during design phase to make sure all the necessary controls identified as a part of requirement are coverd.
I plan to follow this up by a threat modeling activity during the design phase.
Will this be sufficient ? If someone can suggest a better approach for Requirement gathering and Design Phase phase.
Hotmail is redefining busy with tools for the New Busy. Get more from your inbox.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity