Difference between revisions of "High Level Requirements Categories"

Revision as of 07:10, 26 February 2011 (view source) Andylew (talk | contribs) (This is more of a framework of requirements for an overall project than pure Development requirements. Definitely needs work and code-specific requirements should probably be split out from overall r) Newer edit →

(No difference)

---

Revision as of 07:10, 26 February 2011

Intro

Categories of Requirements

Compliance

PCI DSS

Current requirements

OWASP Top 10

WAF Integration considerations

Ongoing testing considerations

GLBA

Ain't it embarrassing that you do banking on-line but have NO IDEA what standards your bank is supposed to adhere to for safekeeping of YOUR money

Go ahead, list some requirements

HIPAA

Basel II

National Compliance Requirements

Privacy Policy

Log retention

Content archiving and retention

Protection of minors

State/Province Compliance Requirements

Municipality Compliance Requirments

Compliance with existing contracts and business obligations

Auditability

Logging

Application

OS, Webserver, and Database Logging

Firewall, WAF, and other security device logging

Event Triggers

Periodic log reviews

Event-driven log analysis

Employee termination=

Suspected breach

Honeypot trigger

Application Security

NO PASSWORDS EMBEDDED IN CODE! REALLY!

Input validation

Whitelisting when possible

Blacklisting by exception

Escaping output

Session controls

Anti-trojan design considerations

Email/SMS/telephone confirmation

2-factor authentication

Transfer timing controls

Number of simultaneous sessions permitted

Detection of simultaneous sessions from different continents

Authentication considerations

Application

See File:OWASP Application Security Requirements - Identification and Authorisation v0.1 (DRAFT).doc

Management and administration tools

2-Factor Authentication

Anti-fraud and business logic flaw considerations

Additional Security Considerations

Decoys, Honeypots, and other devices for detection and delay

Network, Hardware, Physical, OS, Platform, and Framework Considerations

Network Security Considerations

Hardware Security Considerations

Physical Security Considerations

OS Security Considerations

Hardening standards

Platform Security Considerations

Hardening standards

Configuration management and auditing

Patching

Minimized attack surface

Removal of all demo code=

Changing of all default passwords

Robots.txt and passive crawler considerations

Operational Security Considerations

Clean desk policy

Bonding of outsourced/off-shored Developers

Need to know

Trade secrets

Posting questions to help, support, and user forums

Customer Service Identification and Authenticaion considerations

=Distinguishing a legitimate user from a social-engineering scam-artist=

Encryption Requirements

Encryption of Data at rest

Encryption of Data in transit

Encryption of Data while processing

Encryption and obfuscation of code

Hash functions

Code signing

Message Digests

Whatever Bruce Schneier says

Encryption of Remote Administration and Content Management tools