The first thing a seasoned application developer does when starting a project is to get a handle on the scope and learn the requirements. It doesn’t matter whether you are building a database driven Web app or some backend Cobol batch job and it doesn’t matter if you are a fan of agile or waterfall methodology. It’s been like this since for generations of developers, so why is it that Lisa Young of Carngie Mellon’s CERT feels the need to call on security pros to do the same?
ComputerWorld is reporting on a talk she gave at the European Computer Audit, Control and Security Conference which includes points like:
Security requirements have to spring from business-process needs, she stressed. “Requirements should be driven by owners of business processes, not the caretakers of technology,” Young said.
and
“People just haven’t thought of security as a discipline that can be measured, managed and mapped. It’s a new way of looking at it,”
There will be a lot of application developers scratching their heads wondering how their security colleagues got away without requirements for so long. Granted, managing security is different from developing apps, however, good requirements include both functional requirements (i.e.. what the app should do) and non-functional requirements (i.e.. how it should do it and this includes maintenance, scalability and of course security).
For security pros, the starting point is risk analysis, that’s should capture the scope of security requirements. Young advocates using CERT’s research on resiliency engineering .
