Category:BP3 Capture security requirements

Revision as of 11:38, 22 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search


Ensure that security requirements have the same level of “citizenship” as all other “must haves.” It’s easy for application architects and project managers to focus on functionality when defining requirements, since they support the greater purpose of the application to deliver value to the organization. Security considerations can easily go by the wayside. So it is crucial that security requirements be an explicit part of any application development effort. Among the factors to be considered:

  • An understanding of how applications will be used, and how they might be misused or attacked.
  • The assets (data and services) that the application will access or provide, and what level of protection is appropriate given your organization’s appetite for risk, regulations you are subject to, and the potential impact on your reputation should an application be exploited.
  • The architecture of the application and probable attack vectors.
  • Potential compensating controls, and their cost and effectiveness.