EC Council CASE.NET(312-95)_筆記_Module2專有名詞及定義

 

Importance of Gathering Security Requirements

Security Requirements

1. Software security requirements are non functional requirements, which need to be addressed to maintain the confidentiality, integrity and availability of the application.
2. Stakeholders often overlook security requirement during the inception phase of software development.
3. This negligence may result in the application being vulnerable to different types of attacks or getting abused.
4. Gathering security requirements should be part of the strategic application development process.

Stakeholders參與溝通會議者

negligence 疏忽

Gathering Security Requirements

• Elicitine software security requirements takes different approach
• It should be enumerated separate from the functional requirement so that they can be reviewed and tested separately
• Mixing security requirement with functional requirement can make security requirement gathering process more complicated and inaccurate

Elicitine 引、探出

enumerated 列舉

Why We Need Different Approach for Security Requirements Gathering

Functional requirements are positive requirements specifying what the software should do

Security requirements are negative requirements specifying what the software should not do

It is against natural tendency of people that they are clear about what they want but quite find it difficult to understand what they don't want

對user而言通常是很擅長提出他們要捨麼需求但通常對於不要捨麼是很難清楚查找跟界定的

A software needs to be viewed in a more negative, critical and destructive way to reveal its non-intended use and its associated security requirements

通常軟體需求比較是被緊急且具壓迫性地也間接影響到資安需求的緊急迫切性

Key Benefits of Addressing Security at Requirement Phase

Addressing security at requirement phase can save the economy billions of dollars as compared to addressing security at later phase of software development.

Security requirements give the developer an overview about key security controls required to build secure application.

It also specifies the security mechanisms that need to be implemented in order to comply with regulations, standards or requirements for the secure application development and attack protection.

Correctly understood security requirements can help in implementing security in design, development and testing stages