How to gather security requirements for software projects and what to look for

There are a many things to focus on when defining security requirements for any software development effort. But the most prominent should be long term ones like input validation, URL manipulation and logic.

Kevin Beaver, Principle Logic, LLC

Published: 26 Jul 2010

What is the best way of gathering security requirements? Are there examples of standard security requirements for different types of applications (ie. Web applications?)

The best way to gather security requirements is to think big and think long term. What is it you're trying to accomplish with the application you're building? How will security add value to the overall problem that's addressed by the application? Will the necessary controls for today serve the application well down the road? Determine the specific business goals first and then you can drill down from there and determine specific security requirements.

When looking at the details, you'll need to consider authentication, access controls, encryption, audit logging, and minimum configuration requirements for the underlying server OS, Web server, middleware, and database system. You'll also want to drill down further and address common vulnerabilities related to input validation, URL manipulation, privilege escalation, application logic and so on.

Focus not only on best practices but also on how security can be used as an enabler or provide a competitive advantage to your business. Also, don't overlook the importance of documenting any known limitations the security controls you're building in have - they will exist. List the weaknesses, tradeoffs and any other compensating controls that can be used to keep things in check.

Finally, be careful using other people's requirements. Simply downloading security requirements templates off the Internet is akin to downloading security policy documents and assuming - better yet, hoping - they'll work in your business' best interests. It's OK to get rolling with some general guidelines but only you and your team will know what's best for your business given your own unique situation.

How to gather security requirements for software projects and what to look for

There are a many things to focus on when defining security requirements for any software development effort. But the most prominent should be long term ones like input validation, URL manipulation and logic.

Dig Deeper on Topics Archive

A guide to CDN technology benefits, providers and services

How to choose the right CDN service for your organization

Challenges of data management in the internet of things

5 crucial multi-cloud disaster recovery principles

Related Q&A from Kevin Beaver

Inbound vs. outbound firewall rules: What are the differences?

Host IDS vs. network IDS: Which is better?

Network security vs. application security: What's the difference?

SearchCloudComputing

IBM acquisition spree targets hybrid cloud consulting market

How to choose between IaaS and SaaS cloud models

COVID-19 and remote work shift cloud predictions for 2021

SearchAppArchitecture

The differences between SVN and Git that matter

Examining the low-code market's race for citizen developers

BPM vs. BPA: The differences in strategy and tooling

SearchITOperations

Logging as a service isn't SIEM -- so what is it?

Flush with funds, rising DevSecOps vendor reveals roadmap

Evaluate Spinnaker vs. Jenkins for CI/CD

TheServerSide.com

Test your knowledge of JVM profiling tools with this quiz

What's in a name? What developers can expect in Jakarta EE 9

Test your knowledge of variable naming conventions

SearchAWS

Amazon's impact on publishing transforms the book industry

How Amazon and COVID-19 influence 2020 seasonal hiring trends

New Amazon grocery stores run on computer vision, apps