[WEB SECURITY] Security in requirment gathering phase

AMER SALEEM saleem_amer at hotmail.com
Mon May 31 02:47:26 EDT 2010


Dear Dave - Yes, it's the right approach to identify all security concerns upfront as much as possible and plan how to mitigate them using threat modeling approach. 

I would recomment you to use CLASP project methodology proposed by OWASP. The url is www.owasp.org

 

Regards

Amer Saleem

 

 


 


Date: Sun, 30 May 2010 20:39:22 +0530
From: daveyrr at gmail.com
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Security in requirment gathering phase


I want to implement secure SDLC for applications developed in my organization.
 
For requirement gathering phase ,I plan to make a exhaustive list of application security controls for various caegories like Authentication , Session Mangement , Auditing and Logging etc  and ask my application team to accept /reject them based on requirement , with suitable comments.Which can be furhter used during design phase to make sure all the necessary controls identified as a part of requirement are coverd.
 
I plan to follow this up by a threat modeling activity during the design phase.
 
Will this be sufficient ? If someone can suggest a better approach for Requirement gathering and Design Phase phase.
 
Dave 		 	   		  
_________________________________________________________________
Hotmail is redefining busy with tools for the New Busy. Get more from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100531/1ba57f5c/attachment.html>


More information about the websecurity mailing list