Rohit Sethi VP of Product Development

Managing Security Requirements in Software Projects

Dis-functional

Non-functional

Requirements

The Agi le Chal lenge

Iterate Test/scan for defects

Fix defects or accept risk

Deploy to production

Why Requirements?

1x

6x

11x

16x

21x

26x

31x

36x

Requirements / Architecture

Coding Integration/ Component

Testing

System / Acceptance Testing

Production / Post-Release

Rela

tive

cost

to fi

x, b

ased

on

time

of d

etec

tion

Lowest cost, highest ROI

Source: NIST

Two kinds of NFRS

User stories Constraints

Constraint Theory

•  Agilists propose 2 ways to deal with constraints –  Create a static list of NFRs in a central place such as a wiki

or wall –  Define NFRs in the definition of done / acceptance criteria

of a user story

Constraint Practice •  Bind variables in SQL statements to prevent SQL injection •  Verify integrity of client-supplied read-only data to prevent parameter manipulation •  Escape untrusted data in HTML, HTML attributes, Cascading Style Sheets and

JavaScript to prevent Cross Site Scripting (XSS) •  Avoid DOM-based XSS in client-side JavaScript •  Use safe arithmetic to avoid integer overflow •  Disallow external redirects to prevent open redirects •  Authorize protected pages to prevent privilege escalation •  Use anti cross site request forgery (CSRF) tokens •  Validate input •  Use regular expressions that are not vulnerable to Denial of Service •  Implement transactional authentication for high-value transactions •  Do not hard code passwords

Effective NFRs

Requirement priority

Description of underlying issue to be fixed

General description on how to fix the problem along with code samples if possible, and link to test case

Library

NFRs can be re-used between projects. ISO/IEC 27034: ONF – Organizational Normative Framework

NFR Library Ingredients

System

•  Excel •  Share-point •  Commercial

tool

Expertise

•  In-house •  Out-

sourced

Sources

•  Compliance •  Industry

standards

NFR Library Sources

•  PCI-DSS

•  PA-DSS

•  HIPAA

•  ISO 27001

•  NIST 800-53

•  SOX

•  PIPEDA/ECPA/CAN-SPAM

•  EU Privacy and Cookie Laws

•  COPPA

•  California Privacy Act

•  GAPP

•  Privacy Regulations

NFR Library Sources

•  Problem: CWE (Common Weakness Enumeration)

•  Solution:

–  OWASP

–  Vendor Secure Coding Guidelines / Best Practices

–  Original research!

Fi ltering

NFR Library

Contextual filter

In-scope NFR

Process Developer indicates completion of requirement

Testers indicate whether requirement passed verification

SD Elements

Our experience

Capture Context

Automate Fi l tering

5 Step Process

Key Lessons Learned

•  Automation allows for scalability •  Minimize disruption to developers through ALM integration •  Centralization allows for consistency & reporting across the

organization

THANK YOU!

W W W . S E C U R I T Y C O M P A S S . C O M

About Secur i ty Compass

Security Compass named as a Gartner Cool Vendor in Application and Endpoint Security 2014 bit.ly/securitycompass

How I 'stole' $14 million from a bank

Failing to test your DDoS Defenses can backfire

How Banking Trojans empty your bank accounts

`Quantum Dawn 2' Is a Cyber-Attack Bank Drill

Video: Adobe uses SD Elements in the SPLC

We guide your team in building a customized security

blueprint based on your industry, software development

lifecycle, and business needs to cost-effectively mitigate risks.