• Home
• Topics
• Software Requirements Best Practices
• Building security into the SDLC (Software development life cycle)
• How to address security during requirements gathering

How to address security during requirements gathering

Requires Free Membership to View

Login



When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.

Hannah Smalltree, Editorial Director

• E-mail Address: 

By submitting your registration information to SearchSoftwareQuality.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSoftwareQuality.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

In order to discover these security requirements, you have to consider the environment you work within. Some requirements may be dictated for you already if you work in a highly regulated industry or you may need to discover them. Consider who will have access to these systems. Brainstorm to gather your list of users beyond the obvious ones. For example, could an unauthorized user run a report against a database that would expose confidential information?

Security requirements will likely drive the architecture in a certain direction, and considering these requirements up front might also save time or money later on. You may discover there is a pre-packaged security module that can be purchased or that your company has a user authentication system already in place, enabling you to reduce your cost and time to completion. It is probably beneficial to work closely with the application architect during these discussions about security.

Security requirements resources: Authentication and authorization for Web applications Wachovia banks on entitlement management for fine-grained application security Integrating security into your software development life cycle

I worked on a project where a legacy application was being made available via the Internet to company employees. The legacy application did not have major security concerns, since it was installed on an employee's laptop and ran locally. That application benefited from the security of the operating system. However, during the process of making the application available via the Internet, the application team had to consider an entirely new security model. The legacy application as it was did not even require the user to login. That, of course, would no longer work with an Internet-based application, so the team had to consider the security requirements for accessing the system and adding a log-in capability. It turned out there was a single sign-on initiative under way and integrating with that system was the best bet. If we did not ask early on, we might have built yet another authentication system.

Requirements work continual during projects
I'd like to address the term "requirements phase" mentioned in the question. New requirements will be found throughout the lifecycle of the project. The question is how well you manage the change and what impact the new requirements will have on your plan. There is typically more requirements activity early in a project, but I caution against thinking that the "requirements phase" is complete until the next time.

Dig Deeper

This was first published in October 2007

More from Related TechTarget Sites

• SOA
• Java
• Windows Development
• Oracle
• Cloud computing
• Business Analytics

• SOA

  • Using enterprise architecture (EA) and SOA to bridge business and IT

    Implementing strong enterprise architecture and SOA helps support both business and software technology growth.

  • Profiles in application integration

    As both service-oriented and cloud-based architecture take the fore, IT shops increasingly value top-notch integration design. Stories show application integration is changing today.

  • SOA growth reveals benefits and lessons

    Service-oriented architecture is a way of including roles (customers, suppliers, engineers, etc.) and viewing everything as a service. Generally, we recognize services that are provided by people, machines and both. SOA is the most important development in the last ten years and is 1) Business-oriented - "describe what not how" and 2) Message-oriented - "just ask and the service is given."

• Java

  • OCAJP & OCPJP Coverage of New Java 7 Features and APIs: Video Tutorials

    Here at TheServerSide.com, we've been providing some very dedicated coverage to the new features of Java 7, with a look at tackling some of the new Java 7 APIs like the new File I/O (NIO.2) and concurrency libraries with tutorials and learning guides in the near future.

  • OCAJP/OCPJP Video Tutorial: Exploring Binary Notation and Underscores

    This video tutorial demonstrates some new Java 7 features, namely the ability to use binary notation when assigning literal values, along with the ability to use underscores in numbers.

  • Setting Up Eclipse for Java 7 Application Development

    This tutorial follows up on the previous two tutorials on installing Java 7 and configuring the JAVA_HOME environment variable. With those two tasks completed and confirmed, we now demonstrate how to install the Eclipse development tool.

• Windows Development

  • Testing methods in Visual Studio 2010

    This is the second part in a two part series on unit testing in Visual Studio 2010.

  • Unit testing in Visual Studio 2010

    Visual Studio 2010 contains a unit testing framework, and I’ll show you how to use it to automate your own unit tests.

  • Understanding the testing tools in Visual Studio 2010

    Get an overview of the testing tools available in Visual Studio. You will learn which testing features are in which Visual Studio edition.

• Oracle

  • Oracle purchase of Taleo indicates rising SaaS trend

    Oracle has spent $3.4 billion on Taleo and RightNow in the past few months, showing that it is serious about hosting applications in the cloud for its customers.

  • Making Monday the start of the week in Oracle SQL

    One reader asks how to set up a report in Oracle SQL so that Monday is the first day of the week.

  • Oracle Advanced Analytics bundles R with Oracle Database

    Oracle Advanced Analytics is the company’s newest announcement around data analytics, a market that Oracle seeks to blanket with products.

• Cloud computing

  • Keys to integrated cloud application management

    Seamless cloud application management isn’t a pipe dream. By following a few steps, cloud admins can monitor cloud app performance from one interface.

  • Cloud infrastructure providers remain hot commodities

    Cloud infrastructure providers attracted acquisitive suitors last year. Profitable cloud vendors this year will catch the eye of telecoms.

  • Digging deeper into IBM SmartCloud for private clouds

    IBM SmartCloud services give enterprises some options to build private and hybrid clouds and may give IBM a chance to improve its lagging cloud image.

• Business Analytics

  • TDWI BI Executive Summit: Business intelligence benefits & strategies

    Get news and other information resources about strategies for gaining business intelligence benefits, reported from the TDWI World Conference and BI Executive Summit in Las Vegas.

  • Airport retailer leaves Excel behind with BI tools makeover

    The Paradies Shops’ search for BI tools to access data quickly and break away from Excel spreadsheets started with data discovery vendors but didn’t end with them.

  • Hadoop is hot, but not most popular ‘big data’ technology

    New research reveals businesses’ relative lack of “big data” maturity and the hurdles in both technology and analytics techniques they need to overcome.

• About us
• Contact us
• Site index
• Privacy policy
• Advertisers
• Business partners
• Events
• Media kit
• TechTarget corporate site
• Reprints
• Site map