Difference between revisions of "High Level Requirements Categories"

Jump to: navigation, search
m (Application)
m (Logging)
Line 59: Line 59:
Each transaction shall be available for review in detail for a period of no less than one year.  Transactions shall be traceable to the username, IP address, and time within 1/100th of a second. 
#OS, Webserver, and Database Logging
#OS, Webserver, and Database Logging
Line 68: Line 69:
###Suspected breach
###Suspected breach
###Honeypot trigger
###Honeypot trigger
===Additional Security Considerations===
===Additional Security Considerations===

Revision as of 03:33, 26 February 2011


Categories of Requirements

Frameworks and stacks

  1. A secure, robust, flexible, easily supportable framework shall be chosen
  2. A secure, robust, enterprise-worthy platform stack shall be chosen
  3. Widely recognized and well-documented APIs (such as the ESAPI) shall be leveraged to ensure speed, consistency, and baseline security of the application
  4. Secure coding practices including security training and reviews shall be incorporated into each phase of development

Application Security

  2. Input validation
    1. Whitelisting when possible
    2. Blacklisting by exception
    3. Escaping output
  3. Session controls
  4. Anti-trojan design considerations
    1. Email/SMS/telephone confirmation
    2. 2-factor authentication
    3. Transfer timing controls
    4. Number of simultaneous sessions permitted
    5. Detection of simultaneous sessions from different continents

Authentication considerations

  1. See File:OWASP Application Security Requirements - Identification and Authorisation v0.1 (DRAFT).doc
Management and administration tools
  1. 2-Factor Authentication

Anti-fraud and business logic flaw considerations

Encryption Requirements

Encryption of Data at rest

Encryption of Data in transit

Encryption of Data while processing

Encryption and obfuscation of code

Hash functions

  1. Code signing
  2. Message Digests

Whatever Bruce Schneier says

Encryption of Remote Administration and Content Management tools



  1. Current requirements
  2. OWASP Top 10
  3. WAF Integration considerations
  4. Ongoing testing considerations


  1. Ain't it embarrassing that you do banking on-line but have NO IDEA what standards your bank is supposed to adhere to for safekeeping of YOUR money?!?
  2. Go ahead, list some requirements


Basel II

National Compliance Requirements

  1. Privacy Policy
  2. Logging and log retention
  3. Content archiving and retention
  4. Protection of minors

State/Province Compliance Requirements

Municipality Compliance Requirments

Compliance with existing contracts and business obligations



Each transaction shall be available for review in detail for a period of no less than one year. Transactions shall be traceable to the username, IP address, and time within 1/100th of a second.

  1. Application
  2. OS, Webserver, and Database Logging
  3. Firewall, WAF, and other security device logging
  4. Event Triggers
    1. Periodic log reviews
    2. Event-driven log analysis
      1. Employee termination
      2. Suspected breach
      3. Honeypot trigger

Additional Security Considerations

  1. Decoys, Honeypots, and other devices for detection and delay
  2. Network, Hardware, Physical, OS, Platform, and Framework Considerations
    1. Network Security Considerations
    2. Hardware Security Considerations
    3. Physical Security Considerations
    4. OS Security Considerations
      1. Hardening standards
  3. Platform Security Considerations
    1. Hardening standards
    2. Configuration management and auditing
    3. Patching
      1. All components shall be compatible and capable of being fully patched within 30 days of a component security patch release
    4. Minimized attack surface
      1. Removal of all demo code
      2. Changing of all default passwords
      3. Robots.txt and passive crawler considerations

Operational Security Considerations

  1. Clean desk policy
  2. Bonding of outsourced/off-shored Developers
  3. Need to know
  4. Trade secrets
  5. Posting questions to help, support, and user forums
  6. Customer Service Identification and Authenticaion considerations
    1. Distinguishing a legitimate user from a social-engineering scam-artist