[WEB SECURITY] Security in requirment gathering phase

Neelu Tripathy venuspegion at gmail.com
Mon May 31 11:53:14 EDT 2010

Hi Dave,
To build security into your application, you would need to embed it in every
phase. Apart from Security Requirement Gathering and making the design
secure, you can should do the following:
1. Do a Threat Modelling which could be a part of Design Phase
2. Secure the development by following security guidelines for development
and get the code reviewed
3. Before deployment you should get your application security assessed(try
some PT stuff- discovers many loopholes)

These are the minimum and as seen the application turns out to be
considerably robust.


On Sun, May 30, 2010 at 8:39 PM, dave perry <daveyrr at gmail.com> wrote:

> I want to implement secure SDLC for applications developed in my
> organization.
> For requirement gathering phase ,I plan to make a exhaustive list of
> application security controls for various caegories like Authentication ,
> Session Mangement , Auditing and Logging etc  and ask my application team to
> accept /reject them based on requirement , with suitable comments.Which can
> be furhter used during design phase to make sure all the necessary controls
> identified as a part of requirement are coverd.
> I plan to follow this up by a threat modeling activity during the design
> phase.
> Will this be sufficient ? If someone can suggest a better approach for
> Requirement gathering and Design Phase phase.
> Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100531/7af6eb8c/attachment.html>

More information about the websecurity mailing list