What tools or methods do you use for software risk analysis or getting security requirements?
In a software development project, the target application has a set of functional requirements that need to be fulfilled. It also should have a set of security requirements to guide the development to building a secure application. There are several ways of getting these security requirements, I mostly use a risk analysis based approach.
I'm interested in hearing if there are any other tools/services/methods/checklists people are actually using to help in this task. The focus here is security in the application itself, not general project related risks such as timetable issues or lack of programmer expertise.
Thanks!
Good Answers (2)
Our company has had a well-defined product security risk management framework for some years. It is also risk analysis based, so we start by identifying different security threats and vulnerabilities and estimating their severity and probability. All risks are documented and linked to their risk control requirements in our requirements management system (Telelogic DOORS).
When you try to identify as many security threat scenarios as possible, it is better to use a model or checklist than to just list threats off the top of your head. I suppose there is more than one good model, but we have used the OCTAVE method to build asset-based threat profiles.
Links:
Michael S
Information security survivor
Best Answers in: Information Security (12), Software Development (2), Education and Schools (1), Risk Management (1), Personnel Policies (1), Ethics (1), Using LinkedIn (1)
I would recommend you check out the Factor Analysis of Information Risk (FAIR) Framework at the link below. While most still focus on best practices and top 20 list, FAIR is all about putting hard numbers down for information risk.
Links:
More Answers (2)
Curtis H
Founder and President, StreamLogic Inc.
Best Answers in: Using LinkedIn (8), Internet Marketing (4), Software Development (3), Web Development (3), Computers and Software (2), Databases (2), Staffing and Recruiting (1), Contracts (1), Advertising (1), Events Marketing (1), Business Development (1), Public Relations (1), Writing and Editing (1), Small Business (1), Information Storage (1)
Lea,
I have used Foundstone in the past. I have been to their training, etc. They are "experts" in the area of software security, and have some great tools and resources on their website. You can download most of these and run them against your project(s). Link is below.
Also, the book "Writing Secure Code" (Michael Howard, David C. LeBlanc) is a great book for security considerations in a software projects.
Hope this helps,
Curtis
Curtis C Hughes
President
StreamLogic Inc.
www.StreamLogicInc.com
Links:
Since you use a risk analysis based method, I am not going to get into those aspects.
In terms of getting security requirements for the application itself: I would start with the base of what security is built upon: The Networking and the architecture.
Security requirements needed for an application:
Hardware ( NEBS compliance, Environment compliance etc)
Middle ware ( Device drivers, actuators etc)
OS ( Hardening the OS is a MUST for any Application)
Software Base (latest Versions of compilers, dependencies etc )
Application itself
The next thing is to look at requirements needed for the surrounding environment ( meaning on How the application speaks): basically networking and interaction with other applications:
The chain is as weak as the weakest link. so Securing an applications's environment is as good as securing its weakest link.
unless its a non-networked application, I doubt that you dont need requirements on network security ( IPSEC, TLS, SSH etc).
so the thing to ook at :The application security requirements, are the choice of "language" an application speaks which depends on the "protocols" being used and its vulnerabilities/security requirements.
All of the above needs to be taken in context with the securing the whole system along with the network.
Finally, Application building practices and mechanisms needs to be looked at whether you like it or not. How we build an application is as important as the application is. ( A paper house as big as a real one will not last as good as a wooden or a concrete one).
So requirements on securing: Version controls, build mechanisms, testing methods, delivery mechanism, documentation etc needs to be looked at also.
I hope this provides a high-level checklist with which you can detail it to suit your needs using your expertise.
-Raam
