One of the key requirements for IT project requirements is security requirements, how to develop security requirements, and I'll cover two general security requirements frameworks in two articles
The first kind is clasp.
CLASP (Comprehensive, lightweight application security Process) provides a well-organized, structured approach to the development of security requirements at an early stage of the software development life cycle.
Clasp is actually a set of project activities that can be integrated into any software development process. It is designed to be both effective and easy to use. It provides a number of prescriptive methods, activities, and a large number of security resources that can be effective in helping us to carry out these activities in project types.
The following table is the activity described in clasp:
CLASP Best Practices |
CLASP Activities |
related Project Roles |
1. Institute Awareness Programs |
Institute Security Awareness Program |
Project Manager |
2. Perform Application Assessments |
Perform security analysis of system requirements and design (threat modeling) |
Security Auditor |
Perform Source-level Security Review |
Owner:security Auditor Key Contributor:implementer, designer |
Identify, implement, and perform security tests |
Test Analyst |
Verify Security attributes of resources |
Tester |
Assess security posture of technology solutions |
Owner:designer Key contributor:component Vendor |
3. Capture Security Requirements |
Identify Global Security Policy |
Requirements specifier |
Identify Resources and Trust boundaries |
Owner:architect Key contributor:requirements specifier |
Identify user roles and resource capabilities |
Owner:architect Key contributor:requirements specifier |
Specify operational environment |
Owner:requirements specifier Key Contributor:architect |
Detail Misuse Cases |
Owner:requirements specifier Key Contributor:stakeholder |
Identify Attack surface |
Designer |
Document security-relevant Requirements |
Owner:requirements specifier Key Contributor:architect |
4. Implement Secure Development Practices |
Apply security principles to design |
Designer |
Annotate class designs with security properties |
Designer |
Implement and elaborate resource policies and security technologies |
Implementer |
Implement interface Contracts |
Implementer |
Integrate security analysis into source management process |
Integrator |
Perform Code Signing |
Integrator |
5. Build Vulnerability Remediation Procedures |
Manage Security Issue Disclosure process |
Owner:project Manager Key Contributor:designer |
Address reported security issues |
Owner:designer Fault Reporter |
6. Define and monitor Metrics |
Monitor Security Metrics |
Project Manager |
7. Publish Operational Security Guidelines |
Specify database Security Configuration |
Database Designer |
Build Operational Security Guide |
Owner:integrator Key Contributor:designer, architect, implementer |