IT項目需求中的有一項重要的需求就是安全需求,怎樣制定安全需求,我會分兩篇文章介紹兩種通用的安全需求框架
第一種是CLASP
CLASP (Comprehensive, Lightweight Application Security Process) 提供一種組織良好的、結構化的方法,在軟件開發生命週期的早期階段進行安全需求的制定。
CLASP實際上是一組可以集成到任何軟件開發過程中的項目活動。它被設計成既有效又容易採用。它提供了一些規定性的方法,活動,大量的安全資源,都可以是否有效的幫助我們在項目種開展這些活動。
下面這個表就是CLASP中描述的活動:
|
CLASP Best Practices |
CLASP Activities |
Related Project Roles |
|
1. Institute awareness programs |
Institute security awareness program |
Project manager |
|
2. Perform application assessments |
Perform security analysis of system requirements and design (threat modeling) |
Security auditor |
|
Perform source-level security review |
Owner: security auditor Key contributor: implementer, designer |
|
|
Identify, implement, and perform security tests |
Test analyst |
|
|
Verify security attributes of resources |
Tester |
|
|
Research and assess security posture of technology solutions |
Owner: designer Key contributor: component vendor |
|
|
3. Capture security requirements |
Identify global security policy |
Requirements specifier |
|
Identify resources and trust boundaries |
Owner: architect Key contributor: requirements specifier |
|
|
Identify user roles and resource capabilities |
Owner: architect Key contributor: requirements specifier |
|
|
Specify operational environment |
Owner: requirements specifier Key contributor: architect |
|
|
Detail misuse cases |
Owner: requirements specifier Key contributor: stakeholder |
|
|
Identify attack surface |
Designer |
|
|
Document security-relevant requirements |
Owner: requirements specifier Key contributor: architect |
|
|
4. Implement secure development practices |
Apply security principles to design |
Designer |
|
Annotate class designs with security properties |
Designer |
|
|
Implement and elaborate resource policies and security technologies |
Implementer |
|
|
Implement interface contracts |
Implementer |
|
|
Integrate security analysis into source management process |
Integrator |
|
|
Perform code signing |
Integrator |
|
|
5. Build vulnerability remediation procedures |
Manage security issue disclosure process |
Owner: project manager Key contributor: designer |
|
Address reported security issues |
Owner: designer Fault reporter |
|
|
6. Define and monitor metrics |
Monitor security metrics |
Project manager |
|
7. Publish operational security guidelines |
Specify database security configuration |
Database designer |
|
Build operational security guide |
Owner: integrator Key contributor: designer, architect, implementer |