High Level Requirements Categories

Intro

Categories of Requirements

Frameworks and stacks

1. A secure, robust, flexible, easily supportable framework shall be chosen
2. A secure, robust, enterprise-worthy platform stack shall be chosen
3. Widely recognized and well-documented APIs (such as the ESAPI) shall be leveraged to ensure speed, consistency, and baseline security of the application
4. Secure coding practices including security training and reviews shall be incorporated into each phase of development

Application Security

1. NO PASSWORDS EMBEDDED IN CODE! REALLY!
2. Input validation
   1. Whitelisting when possible
   2. Blacklisting by exception
   3. Escaping output
3. Session controls
4. Anti-trojan design considerations
   1. Email/SMS/telephone confirmation
   2. 2-factor authentication
   3. Transfer timing controls
   4. Number of simultaneous sessions permitted
   5. Detection of simultaneous sessions from different continents

Authentication considerations

Application

1. See File:OWASP Application Security Requirements - Identification and Authorisation v0.1 (DRAFT).doc

Management and administration tools

1. 2-Factor Authentication

Anti-fraud and business logic flaw considerations

Encryption Requirements

Encryption of Data at rest

Encryption of Data in transit

Encryption of Data while processing

Encryption and obfuscation of code

Hash functions

1. Code signing
2. Message Digests

Whatever Bruce Schneier says

Encryption of Remote Administration and Content Management tools

Compliance

PCI DSS

1. Current requirements
2. OWASP Top 10
3. WAF Integration considerations
4. Ongoing testing considerations

GLBA

1. Ain't it embarrassing that you do banking on-line but have NO IDEA what standards your bank is supposed to adhere to for safekeeping of YOUR money?!?
2. Go ahead, list some requirements

HIPAA

Basel II

National Compliance Requirements

1. Privacy Policy
2. Logging and log retention
3. Content archiving and retention
4. Protection of minors

State/Province Compliance Requirements

Municipality Compliance Requirments

Compliance with existing contracts and business obligations

Auditability

Logging

Each transaction shall be available for review in detail for a period of no less than one year. Transactions shall be traceable to the username, IP address, and time within 1/100th of a second.

1. Application
2. OS, Webserver, and Database Logging
3. Firewall, WAF, and other security device logging
4. Event Triggers
   1. Periodic log reviews
   2. Event-driven log analysis
      1. Employee termination
      2. Suspected breach
      3. Honeypot trigger

Additional Security Considerations

Steps shall be taken to ensure that support staff reduce the likelihood and are aware of attempted compromise, tampering, fraud, physical theft, of denial of service.

1. Decoys, Honeypots, and other devices for detection and delay
2. Network, Hardware, Physical, OS, Platform, and Framework Considerations
   1. Network Security Considerations
   2. Hardware Security Considerations
   3. Physical Security Considerations
   4. OS Security Considerations
      1. Hardening standards
3. Platform Security Considerations
   1. Hardening standards
   2. Configuration management and auditing
   3. Patching
      1. All components shall be compatible and capable of being fully patched within 30 days of a component security patch release
   4. Minimized attack surface
      1. Removal of all demo code
      2. Changing of all default passwords
      3. Robots.txt and passive crawler considerations

Operational Security Considerations

1. Clean desk policy
2. Bonding of outsourced/off-shored Developers
3. Need to know
4. Trade secrets
5. Posting questions to help, support, and user forums
6. Customer Service Identification and Authenticaion considerations
   1. Distinguishing a legitimate user from a social-engineering scam-artist