View
421
Download
3
Embed Size (px)
Citation preview
Why Requirements?
1x
6x
11x
16x
21x
26x
31x
36x
Requirements / Architecture
Coding Integration/ Component
Testing
System / Acceptance Testing
Production / Post-Release
Rela
tive
cost
to fi
x, b
ased
on
time
of d
etec
tion
Lowest cost, highest ROI
Source: NIST
Constraint Theory
• Agilists propose 2 ways to deal with constraints – Create a static list of NFRs in a central place such as a wiki
or wall – Define NFRs in the definition of done / acceptance criteria
of a user story
Constraint Practice • Bind variables in SQL statements to prevent SQL injection • Verify integrity of client-supplied read-only data to prevent parameter manipulation • Escape untrusted data in HTML, HTML attributes, Cascading Style Sheets and
JavaScript to prevent Cross Site Scripting (XSS) • Avoid DOM-based XSS in client-side JavaScript • Use safe arithmetic to avoid integer overflow • Disallow external redirects to prevent open redirects • Authorize protected pages to prevent privilege escalation • Use anti cross site request forgery (CSRF) tokens • Validate input • Use regular expressions that are not vulnerable to Denial of Service • Implement transactional authentication for high-value transactions • Do not hard code passwords
General description on how to fix the problem along with code samples if possible, and link to test case
Library
NFRs can be re-used between projects. ISO/IEC 27034: ONF – Organizational Normative Framework
NFR Library Ingredients
System
• Excel • Share-point • Commercial
tool
Expertise
• In-house • Out-
sourced
Sources
• Compliance • Industry
standards
NFR Library Sources
• PCI-DSS
• PA-DSS
• HIPAA
• ISO 27001
• NIST 800-53
• SOX
• PIPEDA/ECPA/CAN-SPAM
• EU Privacy and Cookie Laws
• COPPA
• California Privacy Act
• GAPP
• Privacy Regulations
NFR Library Sources
• Problem: CWE (Common Weakness Enumeration)
• Solution:
– OWASP
– Vendor Secure Coding Guidelines / Best Practices
– Original research!
Process Developer indicates completion of requirement
Testers indicate whether requirement passed verification
Key Lessons Learned
• Automation allows for scalability • Minimize disruption to developers through ALM integration • Centralization allows for consistency & reporting across the
organization
About Secur i ty Compass
Security Compass named as a Gartner Cool Vendor in Application and Endpoint Security 2014 bit.ly/securitycompass
How I 'stole' $14 million from a bank
Failing to test your DDoS Defenses can backfire
How Banking Trojans empty your bank accounts
`Quantum Dawn 2' Is a Cyber-Attack Bank Drill
Video: Adobe uses SD Elements in the SPLC
We guide your team in building a customized security
blueprint based on your industry, software development
lifecycle, and business needs to cost-effectively mitigate risks.