Difference between revisions of "Category:BP3 Capture security requirements"

From OWASP
Jump to: navigation, search
m (Undo revision 61424 by CtrocDeler (Talk))
 
Line 1: Line 1:
http://www.textdroncnaactad.com
 
 
==Overview==
 
==Overview==
Ensure that security requirements have the same level of “citizenship” as all other “must haves.” It’s easy for application architects and project managers to focus on functionality when defining requirements, since they support the greater purpose of the application to deliver value to the organization. Security considerations can easily go by the wayside. So it is crucial that security requirements be an explicit part of any application development effort. Among the factors to be considered:  
+
Ensure that security requirements have the same level of “citizenship” as all other “must haves.” It’s easy for application architects and project managers to focus on functionality when defining requirements, since they support the greater purpose of the application to deliver value to the organization. Security considerations can easily go by the wayside. So it is crucial that security requirements be an explicit part of any application development effort. Among the factors to be considered:  
 
* An understanding of how applications will be used, and how they might be misused or attacked.  
 
* An understanding of how applications will be used, and how they might be misused or attacked.  
* The assets (data and services) that the application will access or provide, and what level of protection is appropriate given your organization’s appetite for risk, regulations you are subject to, and the potential impact on your reputation should an application be exploited.  
+
* The assets (data and services) that the application will access or provide, and what level of protection is appropriate given your organization’s appetite for risk, regulations you are subject to, and the potential impact on your reputation should an application be exploited.  
 
* The architecture of the application and probable attack vectors.
 
* The architecture of the application and probable attack vectors.
 
* Potential compensating controls, and their cost and effectiveness.
 
* Potential compensating controls, and their cost and effectiveness.

Latest revision as of 13:01, 22 May 2009

Overview

Ensure that security requirements have the same level of “citizenship” as all other “must haves.” It’s easy for application architects and project managers to focus on functionality when defining requirements, since they support the greater purpose of the application to deliver value to the organization. Security considerations can easily go by the wayside. So it is crucial that security requirements be an explicit part of any application development effort. Among the factors to be considered:

  • An understanding of how applications will be used, and how they might be misused or attacked.
  • The assets (data and services) that the application will access or provide, and what level of protection is appropriate given your organization’s appetite for risk, regulations you are subject to, and the potential impact on your reputation should an application be exploited.
  • The architecture of the application and probable attack vectors.
  • Potential compensating controls, and their cost and effectiveness.