[WEB SECURITY] Security in requirment gathering phase

Pete Herzog lists at isecom.org
Mon May 31 05:57:24 EDT 2010


Have you looked into the OSSTMM 3 (osstmm.org)? It describes 10 
operational controls which covers everything. Much easier than an 
exhaustive list. You can use it with it's own Attack Surface metrics 
(isecom.org/ravs) or with the trust metrics it also describes. The 
trust metrics allow you to focus your resources only on the parts you 
can't trust or don't trust enough depending on the environment. An 
example of the trust metrics is also at


Another project which may be of interest is the use of the Attack 
Surface metrics for analyzing source code. Currently the SCARE project 
tool (isecom.org/scare) is only for C code but you can use the same 
methodology outlined there to apply it to any web language as well. 
This will show your team what's NOT controlled so they can make a 
decision about every interaction and whether it should be more or less 

It's a much more productive move than to guess which threats you 
should watch out for because threats change all the time. Sure, it's 
fun to imagine all the possible threats but it makes more sense to 
focus on controlling all interactions which works regardless of the 
change in a threat.


Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

On 5/31/2010 8:47 AM, AMER SALEEM wrote:
> Dear Dave - Yes, it's the right approach to identify all security
> concerns upfront as much as possible and plan how to mitigate them using
> threat modeling approach.
> I would recomment you to use CLASP project methodology proposed by
> OWASP. The url is www.owasp.org <http://www.owasp.org>
> Regards
> Amer Saleem
> ------------------------------------------------------------------------
> Date: Sun, 30 May 2010 20:39:22 +0530
> From: daveyrr at gmail.com
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Security in requirment gathering phase
> I want to implement secure SDLC for applications developed in my
> organization.
> For requirement gathering phase ,I plan to make a exhaustive list of
> application security controls for various caegories like Authentication
> , Session Mangement , Auditing and Logging etc and ask my application
> team to accept /reject them based on requirement , with suitable
> comments.Which can be furhter used during design phase to make sure all
> the necessary controls identified as a part of requirement are coverd.
> I plan to follow this up by a threat modeling activity during the design
> phase.
> Will this be sufficient ? If someone can suggest a better approach for
> Requirement gathering and Design Phase phase.
> Dave
> ------------------------------------------------------------------------
> Hotmail is redefining busy with tools for the New Busy. Get more from
> your inbox. See how.
> <http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2>

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list