[WEB SECURITY] Security in requirment gathering phase
chander.singh at gmail.com
Mon May 31 16:47:14 EDT 2010
QA plays very important role in our application testing, hence they should also be trained and threat model analysis should be integrated with various testing stages of QA.
From: Neelu Tripathy
Sent: Monday, May 31, 2010 08:53
To: dave perry
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Security in requirment gathering phase
To build security into your application, you would need to embed it in every phase. Apart from Security Requirement Gathering and making the design secure, you can should do the following:
1. Do a Threat Modelling which could be a part of Design Phase
2. Secure the development by following security guidelines for development and get the code reviewed
3. Before deployment you should get your application security assessed(try some PT stuff- discovers many loopholes)
These are the minimum and as seen the application turns out to be considerably robust.
On Sun, May 30, 2010 at 8:39 PM, dave perry <daveyrr at gmail.com> wrote:
I want to implement secure SDLC for applications developed in my organization.
For requirement gathering phase ,I plan to make a exhaustive list of application security controls for various caegories like Authentication , Session Mangement , Auditing and Logging etc and ask my application team to accept /reject them based on requirement , with suitable comments.Which can be furhter used during design phase to make sure all the necessary controls identified as a part of requirement are coverd.
I plan to follow this up by a threat modeling activity during the design phase.
Will this be sufficient ? If someone can suggest a better approach for Requirement gathering and Design Phase phase.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity