EC Council CASE.NET(312-95)_筆記_Module2專有名詞及定義
Importance of Gathering Security Requirements
Security Requirements
- Software security requirements are non functional requirements, which need to be addressed to maintain the confidentiality, integrity and availability of the application.
- Stakeholders often overlook security requirement during the inception phase of software development.
- This negligence may result in the application being vulnerable to different types of attacks or getting abused.
- Gathering security requirements should be part of the strategic application development process.
Stakeholders參與溝通會議者
negligence 疏忽
Gathering Security Requirements
- Elicitine software security requirements takes different approach
- It should be enumerated separate from the functional requirement so that they can be reviewed and tested separately
- Mixing security requirement with functional requirement can make security requirement gathering process more complicated and inaccurate
Elicitine 引、探出
enumerated 列舉
Why We Need Different Approach for Security Requirements Gathering
Functional requirements are positive requirements specifying what the software should do
Security requirements are negative requirements specifying what the software should not do
It is against natural tendency of people that they are clear about what they want but quite find it difficult to understand what they don't want
對user而言通常是很擅長提出他們要捨麼需求但通常對於不要捨麼是很難清楚查找跟界定的
A software needs to be viewed in a more negative, critical and destructive way to reveal its non-intended use and its associated security requirements
通常軟體需求比較是被緊急且具壓迫性地也間接影響到資安需求的緊急迫切性
Key Benefits of Addressing Security at Requirement Phase
Addressing security at requirement phase can save the economy billions of dollars as compared to addressing security at later phase of software development.
Security requirements give the developer an overview about key security controls required to build secure application.
It also specifies the security mechanisms that need to be implemented in order to comply with regulations, standards or requirements for the secure application development and attack protection.
Correctly understood security requirements can help in implementing security in design, development and testing stages
留言
張貼留言