Scribd Logo
Upload

Welcome to Scribd!

  • Unit 30 - AD - Lesson 07 - Security Requirement

    Uploaded by

    Duminda
    6 views7 pages
    Unit 30 - AD - Lesson 07 - Security Requirement

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Unit 30 - AD - Lesson 07 - Security Requirement

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views7 pages

    Unit 30 - AD - Lesson 07 - Security Requirement

    Uploaded by

    Duminda
    Unit 30 - AD - Lesson 07 - Security Requirement

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Application

    Development
    LESSON [7] –SECURITY REQUIREMENT

    Security Requirement APPLICATION DEVELOPMENT 1


    Learning outcomes - Lesson 1 :
    LO1 Produce a Software Design Document by analysing a business-related problem and deduce
    an appropriate solution including a set of initial requirements
    LO2 Use design and development methodologies with tools and techniques associated with
    the creation of a business application.
    LO3 Work individually and as part of a team to plan and produce a functional business
    application with support documentation
    LO4 Evaluate the performance of a business application against its Software Design Document
    and initial requirements.

    Security Requirement APPLICATION DEVELOPMENT 2


    Secure Software Requirements
    From Security prospect, Requirement Document should also capture, Product Security
    Requirements like Compliance needs, Industry Security Best Practices and any specific regulation
    to be followed from Industry or Deployment scenario.
    This document should also provide Security Definitions and Quality Gates, to ensure proper
    validation can be carried out.
    Building Security Checklist is a challenging task, as Product specification may vary with respect
    to Industry, deployment environment and considered Standards.
    Broadly, we can categorize Checklist content to satisfy 4 areas of Application/Software Security
    viz. Core, General, Operational and Regulations. Let’s walk through these areas and have glimpse
    of same:

    Security Requirement APPLICATION DEVELOPMENT 3


    Core Security Requirement
    C.I.A. Triad [Confidentiality, Integrity and Availability] & A.A.A. [Authentication, Authorization and Accountability] are the
    core Security areas around which every product/software Security controls are defined.
    Confidentiality:
    ◦ Confidentiality Requirements address protection against Disclosure of Sensitive Data to Unauthorized Individuals. We need to consider
    controls to ensure confidentiality is ensured when Data is at Rest, In-Transit and also when it is processed.
    Integrity:
    ◦ Integrity requirements is needed to ensure Reliability and Accuracy of the information. Reliability can be ensured by checking software
    functionality and Accuracy can be ensured by checking that the data is modified by authorized person in authorized manner and by
    Ensuring that handled data is Complete and consistent.
    Availability:
    ◦ Availability Requirements ensures protection against unwanted destruction or disruption of Service
    Authentication:
    ◦ We know, Authentication is all about ensuring llegitimacy and validity of the Identity.
    Authorization:
    ◦ Authorization defines permissions to be assigned to All Authenticated entities.
    Accountability:
    ◦ Accountability is all about building record of user action and act as Detective Control

    Security Requirement APPLICATION DEVELOPMENT 4


    General (Application) Security Requirements

    From Application/Software Security prospect, General security requirements should capture


    proper Session, Error and Configuration management needs.
    Session Management:
    ◦ Sessions are used to maintain state. In usual Application communication, on successful user/process
    Authentication, Session Identified (ID) is issued to Track authenticated state.

    Error Management:
    ◦ In Application, providing Errors and Traces are the part of usual process, when any un-wanted or un-
    scoped condition is encountered.

    Configuration management:
    ◦ Configurations drive application features and functionality. Specific practices and measures should be
    defined to avoid any Sensitive Data leakage and Security of these

    Security Requirement APPLICATION DEVELOPMENT 5


    Operational Security Requirements
    Once Application/Software is developed and deployed, Security should also be considered when
    it is Operational in environment to avoid any unwanted disclosure or leakage.
    Deployment Environment:
    ◦ Security Requirement list should capture information about environment in which Software will be
    deployed and who will be using same.

    Archiving:
    ◦ Archiving is required to ensure Business Continuity, Regulatory Requirements and Organizational
    (Retention) Policy. It is important to capture archiving requirements to comply with organization’s policy
    and regulations.

    Anti-Piracy:
    ◦ It is a part of Commercial off-the-shelf (COTS) requirement. It includes Code Obfuscation, Signing, Anti
    Tampering, Licensing, IP Protection mechanism.

    Security Requirement APPLICATION DEVELOPMENT 6


    The END .
    Security Requirement APPLICATION DEVELOPMENT 7

    You might also like