High Level Requirements Categories

From OWASP
Revision as of 02:10, 26 February 2011 by Andylew (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Intro

Categories of Requirements

Compliance

PCI DSS

Current requirements
OWASP Top 10
WAF Integration considerations
Ongoing testing considerations

GLBA

Ain't it embarrassing that you do banking on-line but have NO IDEA what standards your bank is supposed to adhere to for safekeeping of YOUR money
Go ahead, list some requirements

HIPAA

Basel II

National Compliance Requirements

Privacy Policy
Log retention
Content archiving and retention
Protection of minors

State/Province Compliance Requirements

Municipality Compliance Requirments

Compliance with existing contracts and business obligations

Auditability

Logging

Application
OS, Webserver, and Database Logging
Firewall, WAF, and other security device logging

Event Triggers

Periodic log reviews
Event-driven log analysis
Employee termination=
Suspected breach
Honeypot trigger

Application Security

NO PASSWORDS EMBEDDED IN CODE! REALLY!

Input validation

Whitelisting when possible
Blacklisting by exception
Escaping output

Session controls

Anti-trojan design considerations

Email/SMS/telephone confirmation
2-factor authentication
Transfer timing controls
Number of simultaneous sessions permitted
Detection of simultaneous sessions from different continents

Authentication considerations

Application
See File:OWASP Application Security Requirements - Identification and Authorisation v0.1 (DRAFT).doc
Management and administration tools
2-Factor Authentication

Anti-fraud and business logic flaw considerations

Additional Security Considerations

Decoys, Honeypots, and other devices for detection and delay

Network, Hardware, Physical, OS, Platform, and Framework Considerations

Network Security Considerations
Hardware Security Considerations
Physical Security Considerations
OS Security Considerations
Hardening standards

Platform Security Considerations

Hardening standards
Configuration management and auditing
Patching
Minimized attack surface
Removal of all demo code=
Changing of all default passwords
Robots.txt and passive crawler considerations

Operational Security Considerations

Clean desk policy
Bonding of outsourced/off-shored Developers
Need to know
Trade secrets
Posting questions to help, support, and user forums
Customer Service Identification and Authenticaion considerations
=Distinguishing a legitimate user from a social-engineering scam-artist=

Encryption Requirements

Encryption of Data at rest

Encryption of Data in transit

Encryption of Data while processing

Encryption and obfuscation of code

Hash functions

Code signing
Message Digests

Whatever Bruce Schneier says

Encryption of Remote Administration and Content Management tools