[WEB SECURITY] Security in requirment gathering phase

Chander chander.singh at gmail.com
Mon May 31 16:47:14 EDT 2010

QA plays very important role in our application testing, hence they should also be trained and threat model analysis should be integrated with various testing stages of QA. 

Chander Singh

From: Neelu Tripathy 
Sent: Monday, May 31, 2010 08:53
To: dave perry 
Cc: websecurity at webappsec.org 
Subject: Re: [WEB SECURITY] Security in requirment gathering phase

Hi Dave, 
To build security into your application, you would need to embed it in every phase. Apart from Security Requirement Gathering and making the design secure, you can should do the following:
1. Do a Threat Modelling which could be a part of Design Phase
2. Secure the development by following security guidelines for development and get the code reviewed
3. Before deployment you should get your application security assessed(try some PT stuff- discovers many loopholes)

These are the minimum and as seen the application turns out to be considerably robust.


On Sun, May 30, 2010 at 8:39 PM, dave perry <daveyrr at gmail.com> wrote:

  I want to implement secure SDLC for applications developed in my organization.
  For requirement gathering phase ,I plan to make a exhaustive list of application security controls for various caegories like Authentication , Session Mangement , Auditing and Logging etc  and ask my application team to accept /reject them based on requirement , with suitable comments.Which can be furhter used during design phase to make sure all the necessary controls identified as a part of requirement are coverd.
  I plan to follow this up by a threat modeling activity during the design phase.
  Will this be sufficient ? If someone can suggest a better approach for Requirement gathering and Design Phase phase.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100531/d2132a1d/attachment.html>

More information about the websecurity mailing list