Requirement analysis and design are the initial stages of every project. The requirement analysis stage will confirm the goal of the project, its feasibility, the direction for implementation, and other related issues.
During the requirements phase, safety engineers need to be concerned about whether users are comfortable with the product’s safety level and main functions. Mainly they need to think about its security features. For example, if we need to design a user password retrieval function, we need to think about method: Will the password information be sent as a text message to the user’s mobile phone or via e-mail? A lot of times we need to consider problems from product development viewpoint.
It is important to note that in the field of security, security features and features of security are two different concepts. Security features refers to features in terms of security provided to the user, such as a digital certificate, password retrieval question, etc. Features of security refers to ensuring the least vulnerabilities in the products.
Such as when doing “user retrieve password” we frequently use functions: Security issues, are security features, but if the code implementation has vulnerabilities, they become unsafe functions.
In the requirement analysis phase, security experts can meet with the project manager, product manager, and the architect, in order to understand the product background and technology architecture so as to give corresponding suggestions. From past experience, to some extent, a checklist would be helpful. Here is a checklist created by a security expert, Lenny Zeltser for reference.
#1: Business Requirements
What is the application’s primary business purpose? How will the application make money? What are the planned business milestones for developing or improving the application? How is the application marketed? What key benefits does the application offer users? What business continuity provisions have been defined for the application? What geographic areas does the application service?
What data does the application receive, produce, and process? How can the data be classified into categories according to its sensitivity? How might an attacker benefit from capturing or modifying the data? What data backup and retention requirements have been defined for the application?
Who are the application’s end-users? How do the end-users interact with the application? What security expectations do the end-users have?
Which third parties supply data to the application? Which third parties receive data from the applications? Which third parties process the application’s data? What mechanisms are used to share data with third parties besides the application itself? What security requirements do the partners impose?
Who has administrative capabilities in the application? What administrative capabilities does the application offer?
In what industries does the application operate? What security-related regulations apply? What auditing and compliance regulations apply?
#2: Infrastructure Requirements
What details regarding routing, switching, firewalling, and load-balancing have been defined? What network design supports the application? What core network devices support the application? What network performance requirements exist? What private and public network links support the application?
What operating systems support the application? What hardware requirements have been defined? What details regarding required OS components and lock-down needs have been defined?
What network and system performance monitoring requirements have been defined? What mechanisms exist to detect malicious code or compromised application components? What network and system security monitoring requirements have been defined?
Virtualization and Externalization
What aspects of the application lend themselves to virtualization? What virtualization requirements have been defined for the application? What aspects of the product may or may not be hosted via the cloud computing model?
#3: Application Requirements
What frameworks and programming languages have been used to create the application? What process, code, or infrastructure dependencies have been defined for the application? What databases and application servers support the application?
What data entry paths does the application support? What data output paths does the application support? How does data flow across the application’s internal components? What data input validation requirements have been defined? What data does the application store and how? What data is or may need to be encrypted and what key management requirements have been defined? What capabilities exist to detect the leakage of sensitive data? What encryption requirements have been defined for data in transit over WAN and LAN links?
What user identification and authentication requirements have been defined? What session management requirements have been defined? What access requirements have been defined for URI and service calls? What user authorization requirements have been defined? How are user identities maintained throughout transaction calls? What user access restrictions have been defined? What user privilege levels does the application support?
What application performance monitoring requirements have been defined? What application security monitoring requirements have been defined? What application error handling and logging requirements have been defined? How are audit and debug logs accessed, stored, and secured? What application auditing requirements have been defined?
How many logical tiers group the application’s components? How is intermediate or in-process data stored in the application components’ memory and in cache? What application design review practices have been defined and executed? What staging, testing, and Quality Assurance requirements have been defined?
#4: Security Program Requirements
What access do system and network administrators have to the application’s sensitive data? What security incident requirements have been defined? What physical controls restrict access to the application’s components and data? What is the process for granting access to the environment hosting the application? What is the process for identifying and addressing vulnerabilities in network and system components? How do administrators access production infrastructure to manage it? What is the process for identifying and addressing vulnerabilities in the application?
What mechanisms exist to detect violations of change management practices? How are changes to the infrastructure controlled? How are changes to the code controlled? How is code deployed to production?
How do developers assist with troubleshooting and debugging the application? What requirements have been defined for controlling access to the applications source code? What data is available to developers for testing? What secure coding processes have been established?
Which personnel oversee security processes and requirements related to the application? What employee initiation and termination procedures have been defined? What controls exist to protect a compromise in the corporate environment from affecting production? What security governance requirements have been defined? What security training do developers and administrators undergo? What application requirements impose the need to enforce the principle of separation of duties? What corporate security program requirements have been defined?
In addition, during the requirement analysis and design stages, we should know whether the project contains some third-party software. If yes, we need to carefully evaluate whether that software is secure, as that is where most attacks originate. If a risk assessment finds that the third-party software has problems, we should replace it, or alleviate this risk by other methods.
In the demand analysis and design stages, because of the diversity of business, a checklist may not necessarily cover all situations. In the real world our work depends a lot more on experience.
A best practice of a company is to classify its data at different grading levels based on the level of sensitivity, and then provide suitable protection. When reviewing project requirements and design, we can apply different hierarchical protection standards to the different levels of sensitivity of the data.