https://wiki.owasp.org/index.php?action=history&feed=atom&title=SAMM_-_Security_Requirements_-_2 SAMM - Security Requirements - 2 - Revision history 2026-04-18T07:06:56Z Revision history for this page on the wiki MediaWiki 1.27.2 https://wiki.owasp.org/index.php?title=SAMM_-_Security_Requirements_-_2&diff=193634&oldid=prev David Fern at 00:43, 20 April 2015 2015-04-20T00:43:50Z <p></p> <table class="diff diff-contentalign-left" data-mw="interface"> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;' lang='en'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 00:43, 20 April 2015</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l58" >Line 58:</td> <td colspan="2" class="diff-lineno">Line 58:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Additional Resources===</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Additional Resources===</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">[[:Category:SAMM-SR-2]]</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/div&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/div&gt;</div></td></tr> <tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l64" >Line 64:</td> <td colspan="2" class="diff-lineno">Line 64:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>__NOTOC__ __NOEDITSECTION__</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>__NOTOC__ __NOEDITSECTION__</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:SAMM-SR-2]]</ins></div></td></tr> </table> David Fern https://wiki.owasp.org/index.php?title=SAMM_-_Security_Requirements_-_2&diff=60118&oldid=prev Pravir Chandra at 00:54, 5 May 2009 2009-05-05T00:54:10Z <p></p> <table class="diff diff-contentalign-left" data-mw="interface"> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;' lang='en'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 00:54, 5 May 2009</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{OpenSAMM}}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{OpenSAMM}}</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">[[Category:OWASP Software Assurance Maturity Model Project]]</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;div style=&quot;float:left; width:65%;&quot;&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;div style=&quot;float:left; width:65%;&quot;&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|border2=2}}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{SAMM-BadgeList|name=Security_Requirements|abbr=SR|border2=2}}</div></td></tr> </table> Pravir Chandra https://wiki.owasp.org/index.php?title=SAMM_-_Security_Requirements_-_2&diff=59944&oldid=prev Pravir Chandra at 00:13, 3 May 2009 2009-05-03T00:13:56Z <p></p> <table class="diff diff-contentalign-left" data-mw="interface"> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;' lang='en'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 00:13, 3 May 2009</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l9" >Line 9:</td> <td colspan="2" class="diff-lineno">Line 9:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;div style=&quot;width:100%; float:left;&quot;&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;div style=&quot;width:100%; float:left;&quot;&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">'''Objective: </del>Increase granularity of security requirements derived from business logic and known risks<del class="diffchange diffchange-inline">'''</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">{{SAMM-ObjectiveC2|name=Security Requirements|obj=</ins>Increase granularity of security requirements derived from business logic and known risks<ins class="diffchange diffchange-inline">}}</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160;&#160; &lt;div style=&quot;width:30%; float:right; padding-top:50px; padding-left:10px;&quot;&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160;&#160; &lt;div style=&quot;width:30%; float:right; padding-top:50px; padding-left:10px;&quot;&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>====Results====</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>====Results====</div></td></tr> </table> Pravir Chandra https://wiki.owasp.org/index.php?title=SAMM_-_Security_Requirements_-_2&diff=59884&oldid=prev Pravir Chandra: New page: {{OpenSAMM}} Category:OWASP Software Assurance Maturity Model Project <div style="float:left; width:65%;"> {{SAMM-BadgeList|name=Security_Requirements|abbr=SR|border2=2}} </div> <div s... 2009-05-02T18:19:47Z <p>New page: {{OpenSAMM}} <a href="/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project" class="mw-redirect" title="Category:OWASP Software Assurance Maturity Model Project">Category:OWASP Software Assurance Maturity Model Project</a> &lt;div style=&quot;float:left; width:65%;&quot;&gt; {{SAMM-BadgeList|name=Security_Requirements|abbr=SR|border2=2}} &lt;/div&gt; &lt;div s...</p> <p><b>New page</b></p><div>{{OpenSAMM}}<br /> [[Category:OWASP Software Assurance Maturity Model Project]]<br /> &lt;div style=&quot;float:left; width:65%;&quot;&gt;<br /> {{SAMM-BadgeList|name=Security_Requirements|abbr=SR|border2=2}}<br /> &lt;/div&gt;<br /> &lt;div style=&quot;float:right; width:30%;&quot;&gt;<br /> [http://www.owasp.org/index.php/SAMM_-_Construction http://www.opensamm.org/downloads/BackButton.png]<br /> &lt;/div&gt;<br /> <br /> &lt;div style=&quot;width:100%; float:left;&quot;&gt;<br /> '''Objective: Increase granularity of security requirements derived from business logic and known risks'''<br /> &lt;div style=&quot;width:30%; float:right; padding-top:50px; padding-left:10px;&quot;&gt;<br /> ====Results====<br /> * Detailed understanding of attack scenarios against business logic<br /> * Prioritized development effort for security features based on likely attacks<br /> * More educated decision-making for tradeoffs between features and security efforts<br /> * Stakeholders that can better avoid functional requirements that inherently have security flaws<br /> <br /> ====Add’l Success Metrics====<br /> * &gt;75% of all projects with updated abuse-case models within past 6 months<br /> <br /> ====Add’l Costs====<br /> * Project overhead from buildout and maintenance of abuse-case models<br /> <br /> ====Add’l Personnel====<br /> * Security Auditor (2 days/yr)<br /> * Managers (1 day/yr)<br /> * Architects (2 days/yr)<br /> * Business Owners (1 day/yr)<br /> <br /> ====Related Levels====<br /> * Threat Assessment - 1 &amp; 3<br /> * Strategy &amp; Metrics - 1<br /> <br /> &lt;/div&gt;<br /> &lt;div style=&quot;float:left; width:65%;&quot;&gt;<br /> ==Activities==<br /> ===A. Build an access control matrix for resources and capabilities===<br /> Based upon the business purpose of the application, identify user and operator roles. Additionally, build a list of resources and capabilities by gathering all relevant data assets and application-specific features that are guarded by any form of access control.<br /> <br /> In a simple matrix with roles on one axis and resources on the other, consider the relationships between each role and each resource and note in each intersection the correct behavior of the system in terms of access control according to stakeholders.<br /> <br /> For data resources, it is important to note access rights in terms of creation, read access, update, and deletion. For resources that are features, gradation of access rights will likely be application-specific, but at a minimum note if the role should be permitted access to the feature.<br /> <br /> This permission matrix will serve as an artifact to document the correct access control rights for the business logic of the overall system. As such, it should be created by the project teams with input from business stakeholders. After initial creation, it should be updated by business stakeholders before every release, but usually toward the beginning of the design phase.<br /> <br /> ===B. Specify security requirements based on known risks===<br /> Explicitly review existing artifacts that indicate organization or project-specific security risk in order to better understand the overall risk profile for the software. When available, draw on resources such as the high-level business risk profile, individual application threat models, findings from design review, code review, security testing, etc.<br /> <br /> In addition to review of existing artifacts, use abuse-case models for an application to serve as fuel for identification of concrete security requirements that directly or indirectly mitigate the abuse scenarios.<br /> <br /> This process should be conducted by business owners and security auditors as needed. Ultimately, the notion of risks leading to new security requirements should become a built-in step in the planning phase whereby newly discovered risks are specifically assessed by project teams.<br /> <br /> &lt;/div&gt;<br /> &lt;/div&gt;<br /> <br /> &lt;div style=&quot;float:left; width:100%;&quot;&gt;&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;<br /> ----<br /> ----<br /> ===Additional Resources===<br /> <br /> <br /> &lt;/div&gt;<br /> <br /> <br /> __NOTOC__ __NOEDITSECTION__</div> Pravir Chandra