1. Security Requirement Gathering: Requirement gathering or Information gathering is the first phase in SDLC which builds a strong foundation for any application to be developed. Assuming that a Business Analyst will be responsible for gathering the relevant application information, s/he will have very limited knowledge related to security and the level of security details to be gathered from the respective Client/Customer. Due to this limitation, there is tremendous opportunity for Security professionals to pitch-in and gather all the security related information.
So what actually happens in this Security Requirement Gathering phase? Security professionals have to gather the basic security information and educate their respective Clients/Customers about the need for Security in this Phase. This information should focus more towards the Triad of Information Security: Confidentiality; Integrity and Availability (CIA) of the information and application itself. Some examples of secure requirement gathering can be:
- Data Classification: Restricted / Highly Confidential / Confidential / Public
- Application Type: Thick client / Thin Client / Web Services / Native / Hybrid apps / …
- Transport Layer Security: OpenSSL / SSL / TLS / …
- and the list can go on…
Once our Security professional has gathered the relevant Security Requirements, these should be evaluated either against the Client’s Security Standards or the Organization’s (Service Provider) Security Standards and determine what level of security is considered and update the requirements (if necessary) to meet at least the basic security requirements. Store all this information in your project repository and advance to the next phase.
To sum it up:
- Gather Security Requirements
- Evaluate Security Requirements
- Recommend updates to the Requirements (if necessary)
- Carry forward all artifacts and observations to the next phase of SDLC
Benefits of integrating Security in Phase1:
- Security Requirements are clear
- Any gaps will be identified and either rectified or carried forward with risk acceptance
- Assists in identifying additional security vulnerabilities in the next phase of SDLC