Software Security Engineering - Build Security In - US-CERT

More documents

Recommendations

Info

Requirements Engineering Practices 1 Practices in Recommended Order Description Maturity Audience Standard security requirements engineering process Establish a defined process for identifying and documenting security requirements, such as SQUARE Relevant for These Roles L3 E, M, L • Project manager Security risk assessment Perform a risk assessment aimed at security exposures, either as part of a project risk assessment or as a standalone activity L3 for security; L4 for projects in general M, L • Project manager • Lead requirements engineer Threat identification Use techniques such as misuse/abuse cases, threat modeling, attack patterns, or attack trees to identify security threats L3 L • Lead requirements engineer • Security analyst Thursday, November 06, 2008 Software Security Engineering Nancy R. Mead, October 16, 2008 © 2008 Carnegie Mellon University 40
Requirements Engineering Practices 2 Practices in Recommended Order Description Maturity Audience Security requirements elicitation Conduct a security requirements elicitation activity to identify potential security requirements Relevant for These Roles L2 L • Lead requirements engineer • Stakeholders Security requirements categorization and prioritization Security requirements inspection Categorize and prioritize security requirements to separate true require-ments from architectural recommendations and to optimize cost–benefit considerations Inspect security requirements in conjunction with other requirements to ensure they are correct and complete L2 L • Lead requirements engineer • Stakeholders L2 for security; L4 for inspections in general L • Lead requirements engineer Thursday, November 06, 2008 Software Security Engineering Nancy R. Mead, October 16, 2008 © 2008 Carnegie Mellon University 41
Page 1 and 2: Software Security Engineering Softw
Page 3 and 4: So What Is Software Security? Softw
Page 5 and 6: Build Security In: A Key Resource
Page 7 and 8: Why is Security a Software Issue?
Page 9 and 10: The Problem • Organizations incre
Page 11 and 12: Software that has been developed wi
Page 13 and 14: Software Security Always Has a Cost
Page 15 and 16: The Risk Management Framework • B
Page 17 and 18: What makes software secure? © 2008
Page 19 and 20: Core Properties of Secure Software
Page 21 and 22: Influencing the Security Properties
Page 23 and 24: Addressing the Expected: Security A
Page 25 and 26: Addressing the Unexpected: Avoiding
Page 27 and 28: The Attacker’s Perspective • As
Page 29 and 30: Parting Thoughts on Secure Software
Page 31 and 32: SDLC With Defined Security Touchpoi
Page 33 and 34: Assess Security Risk Across the SDL
Page 35 and 36: Maturity Indicators Maturity Level
Page 37 and 38: Software Security Practices That Sp
Page 39: Software Security Practices That Sp
Page 43 and 44: Architecture and Design Practices 2
Page 45 and 46: Coding and Testing Practices 2 Prac
Page 47 and 48: Coding and Testing Practices 4 Prac
Page 49 and 50: Security Analysis for System Comple
Page 51 and 52: Security Analysis for System Comple
Page 53 and 54: Governance and Management Practices
Page 55 and 56: Governance and Management Practices
Page 57 and 58: Recommendations Treat software secu
Page 59: Contact Information Sean Barnum Pri

Software Security Engineering - Build Security In - US-CERT

Create successful ePaper yourself

Delete template?

Save as template?