When looking at the details, you'll need to consider authentication, access controls, encryption, audit logging,...
and minimum configuration requirements for the underlying server OS, Web server, middleware, and database system. You'll also want to drill down further and address common vulnerabilities related to input validation, URL manipulation, privilege escalation, application logic and so on.
Focus not only on best practices but also on how security can be used as an enabler or provide a competitive advantage to your business. Also, don't overlook the importance of documenting any known limitations the security controls you're building in have - they will exist. List the weaknesses, tradeoffs and any other compensating controls that can be used to keep things in check.
Finally, be careful using other people's requirements. Simply downloading security requirements templates off the Internet is akin to downloading security policy documents and assuming - better yet, hoping - they'll work in your business' best interests. It's OK to get rolling with some general guidelines but only you and your team will know what's best for your business given your own unique situation.
Dig Deeper on Software Quality Resources
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.