Difference between revisions of "High Level Requirements Categories"

From OWASP
Jump to: navigation, search
(This is more of a framework of requirements for an overall project than pure Development requirements. Definitely needs work and code-specific requirements should probably be split out from overall r)
 
(Cleaned up and resequenced the first stab a little.)
Line 1: Line 1:
 
==Intro==
 
==Intro==
 
==Categories of Requirements==
 
==Categories of Requirements==
 +
===Frameworks and stacks===
 +
#A secure, robust, flexible, easily supportable framework shall be chosen
 +
#A secure, robust, enterprise-worthy platform stack shall be chosen
 +
#Widely recognized and well-documented APIs (such as the [http://www.owasp.org/index.php/ESAPI#tab=Home ESAPI]) shall be leveraged to ensure speed, consistency, and baseline security of the application
 +
#Secure coding practices including security training and reviews shall be incorporated into each phase of development
 +
===Application Security===
 +
#NO PASSWORDS EMBEDDED IN CODE! REALLY!
 +
#Input validation
 +
##Whitelisting when possible
 +
##Blacklisting by exception
 +
##Escaping output
 +
#Session controls
 +
#Anti-trojan design considerations
 +
##Email/SMS/telephone confirmation
 +
##2-factor authentication
 +
##Transfer timing controls
 +
##Number of simultaneous sessions permitted
 +
##Detection of simultaneous sessions from different continents
 +
====Authentication considerations====
 +
=====Application=====
 +
#See [[File:OWASP_Application_Security_Requirements_-_Identification_and_Authorisation_v0.1_(DRAFT).doc]]======
 +
=====Management and administration tools=====
 +
#2-Factor Authentication
 +
====Anti-fraud and business logic flaw considerations====
 +
 +
===Encryption Requirements===
 +
====Encryption of Data at rest====
 +
====Encryption of Data in transit====
 +
====Encryption of Data while processing====
 +
====Encryption and obfuscation of code====
 +
====Hash functions====
 +
#Code signing
 +
#Message Digests
 +
====Whatever Bruce Schneier says====
 +
====Encryption of Remote Administration and Content Management tools====
 +
 
===Compliance===
 
===Compliance===
 
====PCI DSS====
 
====PCI DSS====
=====Current requirements=====
+
#Current requirements
=====OWASP Top 10=====
+
#[http://www.owasp.org/index.php/Top_10 OWASP Top 10]
=====WAF Integration considerations=====
+
#WAF Integration considerations
=====Ongoing testing considerations=====
+
#Ongoing testing considerations
 
====GLBA====
 
====GLBA====
=====Ain't it embarrassing that you do banking on-line but have NO IDEA what standards your bank is supposed to adhere to for safekeeping of YOUR money=====
+
#Ain't it embarrassing that you do banking on-line but have NO IDEA what standards your bank is supposed to adhere to for safekeeping of YOUR money?!?
======Go ahead, list some requirements======
+
#Go ahead, list some requirements
 
====HIPAA====
 
====HIPAA====
 
====Basel II====
 
====Basel II====
 
====National Compliance Requirements====
 
====National Compliance Requirements====
=====Privacy Policy=====
+
#Privacy Policy
=====Log retention=====
+
#Logging and log retention
=====Content archiving and retention=====
+
#Content archiving and retention
=====Protection of minors=====
+
#Protection of minors
 
====State/Province Compliance Requirements====
 
====State/Province Compliance Requirements====
 
====Municipality Compliance Requirments====
 
====Municipality Compliance Requirments====
Line 22: Line 58:
 
===Auditability===
 
===Auditability===
 
====Logging====
 
====Logging====
=====Application=====
+
#Application
=====OS, Webserver, and Database Logging=====
+
#OS, Webserver, and Database Logging
=====Firewall, WAF, and other security device logging=====
+
#Firewall, WAF, and other security device logging
====Event Triggers====
+
#Event Triggers
=====Periodic log reviews=====
+
##Periodic log reviews
=====Event-driven log analysis=====
+
##Event-driven log analysis
======Employee termination=======
+
###Employee termination
======Suspected breach======
+
###Suspected breach
======Honeypot trigger======
+
###Honeypot trigger
===Application Security===
+
 
====NO PASSWORDS EMBEDDED IN CODE! REALLY!====
+
====Input validation====
+
=====Whitelisting when possible=====
+
=====Blacklisting by exception=====
+
=====Escaping output=====
+
====Session controls====
+
====Anti-trojan design considerations====
+
=====Email/SMS/telephone confirmation=====
+
=====2-factor authentication=====
+
=====Transfer timing controls=====
+
=====Number of simultaneous sessions permitted=====
+
=====Detection of simultaneous sessions from different continents=====
+
====Authentication considerations====
+
=====Application=====
+
======See [[File:OWASP_Application_Security_Requirements_-_Identification_and_Authorisation_v0.1_(DRAFT).doc]]======
+
=====Management and administration tools=====
+
======2-Factor Authentication======
+
  
====Anti-fraud and business logic flaw considerations====
 
 
===Additional Security Considerations===
 
===Additional Security Considerations===
 +
#Decoys, Honeypots, and other devices for detection and delay
 +
#Network, Hardware, Physical, OS, Platform, and Framework Considerations
 +
##Network Security Considerations
 +
##Hardware Security Considerations
 +
##Physical Security Considerations
 +
##OS Security Considerations
 +
###Hardening standards
 +
#Platform Security Considerations
 +
##Hardening standards
 +
##Configuration management and auditing
 +
##Patching
 +
###All components shall be compatible and capable of being fully patched within 30 days of a component security patch release
 +
##Minimized attack surface
 +
###Removal of all demo code
 +
###Changing of all default passwords
 +
###Robots.txt and passive crawler considerations
  
====Decoys, Honeypots, and other devices for detection and delay====
 
====Network, Hardware, Physical, OS, Platform, and Framework Considerations====
 
=====Network Security Considerations=====
 
=====Hardware Security Considerations=====
 
=====Physical Security Considerations=====
 
=====OS Security Considerations=====
 
======Hardening standards======
 
====Platform Security Considerations====
 
=====Hardening standards=====
 
=====Configuration management and auditing=====
 
=====Patching=====
 
=====Minimized attack surface=====
 
=====Removal of all demo code======
 
=====Changing of all default passwords=====
 
=====Robots.txt and passive crawler considerations=====
 
 
====Operational Security Considerations====
 
====Operational Security Considerations====
======Clean desk policy======
+
#Clean desk policy
======Bonding of outsourced/off-shored Developers======
+
#Bonding of outsourced/off-shored Developers
======Need to know======
+
#Need to know
======Trade secrets======
+
#Trade secrets
======Posting questions to help, support, and user forums======
+
#Posting questions to help, support, and user forums
======Customer Service Identification and Authenticaion considerations======
+
#Customer Service Identification and Authenticaion considerations
=======Distinguishing a legitimate user from a social-engineering scam-artist=======
+
##Distinguishing a legitimate user from a social-engineering scam-artist
===Encryption Requirements===
+
====Encryption of Data at rest====
+
====Encryption of Data in transit====
+
====Encryption of Data while processing====
+
====Encryption and obfuscation of code====
+
====Hash functions====
+
=====Code signing=====
+
=====Message Digests=====
+
====Whatever Bruce Schneier says====
+
====Encryption of Remote Administration and Content Management tools====
+

Revision as of 03:29, 26 February 2011

Contents

Intro

Categories of Requirements

Frameworks and stacks

  1. A secure, robust, flexible, easily supportable framework shall be chosen
  2. A secure, robust, enterprise-worthy platform stack shall be chosen
  3. Widely recognized and well-documented APIs (such as the ESAPI) shall be leveraged to ensure speed, consistency, and baseline security of the application
  4. Secure coding practices including security training and reviews shall be incorporated into each phase of development

Application Security

  1. NO PASSWORDS EMBEDDED IN CODE! REALLY!
  2. Input validation
    1. Whitelisting when possible
    2. Blacklisting by exception
    3. Escaping output
  3. Session controls
  4. Anti-trojan design considerations
    1. Email/SMS/telephone confirmation
    2. 2-factor authentication
    3. Transfer timing controls
    4. Number of simultaneous sessions permitted
    5. Detection of simultaneous sessions from different continents

Authentication considerations

Application
  1. See File:OWASP Application Security Requirements - Identification and Authorisation v0.1 (DRAFT).doc======
Management and administration tools
  1. 2-Factor Authentication

Anti-fraud and business logic flaw considerations

Encryption Requirements

Encryption of Data at rest

Encryption of Data in transit

Encryption of Data while processing

Encryption and obfuscation of code

Hash functions

  1. Code signing
  2. Message Digests

Whatever Bruce Schneier says

Encryption of Remote Administration and Content Management tools

Compliance

PCI DSS

  1. Current requirements
  2. OWASP Top 10
  3. WAF Integration considerations
  4. Ongoing testing considerations

GLBA

  1. Ain't it embarrassing that you do banking on-line but have NO IDEA what standards your bank is supposed to adhere to for safekeeping of YOUR money?!?
  2. Go ahead, list some requirements

HIPAA

Basel II

National Compliance Requirements

  1. Privacy Policy
  2. Logging and log retention
  3. Content archiving and retention
  4. Protection of minors

State/Province Compliance Requirements

Municipality Compliance Requirments

Compliance with existing contracts and business obligations

Auditability

Logging

  1. Application
  2. OS, Webserver, and Database Logging
  3. Firewall, WAF, and other security device logging
  4. Event Triggers
    1. Periodic log reviews
    2. Event-driven log analysis
      1. Employee termination
      2. Suspected breach
      3. Honeypot trigger


Additional Security Considerations

  1. Decoys, Honeypots, and other devices for detection and delay
  2. Network, Hardware, Physical, OS, Platform, and Framework Considerations
    1. Network Security Considerations
    2. Hardware Security Considerations
    3. Physical Security Considerations
    4. OS Security Considerations
      1. Hardening standards
  3. Platform Security Considerations
    1. Hardening standards
    2. Configuration management and auditing
    3. Patching
      1. All components shall be compatible and capable of being fully patched within 30 days of a component security patch release
    4. Minimized attack surface
      1. Removal of all demo code
      2. Changing of all default passwords
      3. Robots.txt and passive crawler considerations

Operational Security Considerations

  1. Clean desk policy
  2. Bonding of outsourced/off-shored Developers
  3. Need to know
  4. Trade secrets
  5. Posting questions to help, support, and user forums
  6. Customer Service Identification and Authenticaion considerations
    1. Distinguishing a legitimate user from a social-engineering scam-artist