EC Council CASE.NET(312-95)_筆記_Module2專有名詞及定義

 

Importance of Gathering Security Requirements



Security Requirements

  1. Software security requirements are non functional requirements, which need to be addressed to maintain the confidentiality, integrity and availability of the application.
  2. Stakeholders often overlook security requirement during the inception phase of software development.
  3. This negligence may result in the application being vulnerable to different types of attacks or getting abused.
  4. Gathering security requirements should be part of the strategic application development process.

Stakeholders參與溝通會議者
negligence 疏忽



Gathering Security Requirements

  • Elicitine software security requirements takes different approach
  • It should be enumerated separate from the functional requirement so that they can be reviewed and tested separately
  • Mixing security requirement with functional requirement can make security requirement gathering process more complicated and inaccurate
Elicitine 引、探出
enumerated 列舉



Why We Need Different Approach for Security Requirements Gathering


Functional requirements are positive requirements specifying what the software should do

Security requirements are negative requirements specifying what the software should not do

It is against natural tendency of people that they are clear about what they want but quite find it difficult to understand what they don't want

對user而言通常是很擅長提出他們要捨麼需求但通常對於不要捨麼是很難清楚查找跟界定的

A software needs to be viewed in a more negative, critical and destructive way to reveal its non-intended use and its associated security requirements

通常軟體需求比較是被緊急且具壓迫性地也間接影響到資安需求的緊急迫切性



Key Benefits of Addressing Security at Requirement Phase

Addressing security at requirement phase can save the economy billions of dollars as compared to addressing security at later phase of software development.

Security requirements give the developer an overview about key security controls required to build secure application.

It also specifies the security mechanisms that need to be implemented in order to comply with regulations, standards or requirements for the secure application development and attack protection.

Correctly understood security requirements can help in implementing security in design, development and testing stages































留言

這個網誌中的熱門文章

何謂淨重(Net Weight)、皮重(Tare Weight)與毛重(Gross Weight)

Architecture(架構) 和 Framework(框架) 有何不同?_軟體設計前的事前規劃的藍圖概念

經得起原始碼資安弱點掃描的程式設計習慣培養(五)_Missing HSTS Header