Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Identify Security Objectives

  
  
When developing an application, it is best to define security objectives and requirements early in the process. Security objectives are goals and constraints that affect the confidentiality, integrity, and availability of your data and application.

Identification of security objectives is the first step you can take to help ensure the security of your application, and it is also one of the most important steps. Define Security ObjectivesThe objectives, once created, can be used to direct all the subsequent security activities that you perform. Security objectives do not remain static, but are influenced by later design and implementation activities.

Security objectives should be identified as early in the development process as possible, ideally in the requirements and analysis phase. The objectives, once created, can be used to direct all the subsequent security activities that you perform. Security objectives do not remain static, but are influenced by later design and implementation activities.

Identifying security objectives is an iterative process that is initially driven by an examination of the application’s requirements and usage scenarios. By the end of the requirements and analysis phase, you should have a first set of objectives that are not yet tied to design or implementation details. During the design phase, additional objectives will surface that are specific to the application architecture and design. During the implementation phase, you may discover a few additional objectives based upon specific technology or implementation choices that have an impact on overall application security.

Each evolution of the security objectives will affect other security activities. You should review the threat model, architecture and design review guidelines, and general code review guidelines when your security objectives change.

Use the following techniques to help you discover security objectives:

  • Roles Matrix. When an application supports multiple roles it is important to understand what each role should be allowed to do. This can be accomplished with a roles matrix that contains privileges in rows and roles in columns. Once the roles matrix has been created, you can generate security objectives to ensure the integrity of the application’s roles mechanism. Many systems have multiple roles and privileges can be assigned flexibly to any role. In this case your objectives need to be more general.

  • Derive From Functional Requirements. You can generate security objectives by examining every functional requirement in your application through the lens of confidentiality, integrity, and availability (CIA). This provides a very effective mechanism for generating security objectives based on known application characteristics.


Comments

it is interesting topic in the objective security. I may want to know the implimentation of this objective through activities, and what is the significat of it? 
 
I want to apply in our situation in South Sudan notebly in Juba city.
Posted @ Friday, November 02, 2012 10:11 AM by David Wani Lino
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics