Security Requirements for IT projects (i)-clasp

Source: Internet
Author: User

One of the key requirements for IT project requirements is security requirements, how to develop security requirements, and I'll cover two general security requirements frameworks in two articles

The first kind is clasp.

CLASP (Comprehensive, lightweight application security Process) provides a well-organized, structured approach to the development of security requirements at an early stage of the software development life cycle.

Clasp is actually a set of project activities that can be integrated into any software development process. It is designed to be both effective and easy to use. It provides a number of prescriptive methods, activities, and a large number of security resources that can be effective in helping us to carry out these activities in project types.

The following table is the activity described in clasp:

CLASP Best Practices

CLASP Activities

related Project Roles

1. Institute Awareness Programs

Institute Security Awareness Program

Project Manager

2. Perform Application Assessments

Perform security analysis of system requirements and design (threat modeling)

Security Auditor

Perform Source-level Security Review

Owner:security Auditor

Key Contributor:implementer, designer

Identify, implement, and perform security tests

Test Analyst

Verify Security attributes of resources

Tester

Assess security posture of technology solutions

Owner:designer

Key contributor:component Vendor

3. Capture Security Requirements

Identify Global Security Policy

Requirements specifier

Identify Resources and Trust boundaries

Owner:architect

Key contributor:requirements specifier

Identify user roles and resource capabilities

Owner:architect

Key contributor:requirements specifier

Specify operational environment

Owner:requirements specifier

Key Contributor:architect

Detail Misuse Cases

Owner:requirements specifier

Key Contributor:stakeholder

Identify Attack surface

Designer

Document security-relevant Requirements

Owner:requirements specifier

Key Contributor:architect

4. Implement Secure Development Practices

Apply security principles to design

Designer

Annotate class designs with security properties

Designer

Implement and elaborate resource policies and security technologies

Implementer

Implement interface Contracts

Implementer

Integrate security analysis into source management process

Integrator

Perform Code Signing

Integrator

5. Build Vulnerability Remediation Procedures

Manage Security Issue Disclosure process

Owner:project Manager

Key Contributor:designer

Address reported security issues

Owner:designer

Fault Reporter

6. Define and monitor Metrics

Monitor Security Metrics

Project Manager

7. Publish Operational Security Guidelines

Specify database Security Configuration

Database Designer

Build Operational Security Guide

Owner:integrator

Key Contributor:designer, architect, implementer

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.