Questions tagged [requirements]
21 questions
14
votes
5 answers
Should a full disk encrypted hard drive on a live system be considered encryption at rest?
If you are specifying requirements that a certain classification of data be encrypted while at rest (on storage), should the requirement be considered met if the data is stored on an live (turned on) system where all storage media has full disk…
Eric G
- 9,691
- 4
- 31
- 58
10
votes
6 answers
Are all security requirements expected to be testable?
Many approaches exist to define security requirements. To keep it simple, i would say to define a security requirement, one need to model the threat encountered when building up misuse cases for specific use cases being worked out. Still, at the…
Phoenician-Eagle
- 2,167
- 16
- 21
10
votes
4 answers
How to define security requirements to ensure that developers... do not provide security by obscurity?
I tried to explain that security by obscurity should not be used but let's say I was challenged!
I received the answer to list the known security by obscurity that I know, as a kind of bad practice and that should not to be followed. Indeed it is…
Phoenician-Eagle
- 2,167
- 16
- 21
7
votes
4 answers
What is the difference between misuse and abuse cases in security?
I know that misuse cases are use cases which help identify security requirements as they highlight the user's goal in misusing the system, but what exactly is abuse cases and what is the difference or these very similar to each other?
rikket
- 173
- 1
- 3
5
votes
5 answers
Outsourcing software development and its effect on security
Some companies build their own software. Others outsource software development by hiring contractors or other companies to build software they need.
When we need to build new custom software, is there any evidence whether the choice to develop…
D.W.
- 98,420
- 30
- 267
- 572
5
votes
3 answers
What to consider in an SLA to ensure secure software when outsourcing software development?
To ensure secure development in the off shore team what are considerations to be taken into account in the SLA?
I got this as a reference: http://www.it-director.com/enterprise/technology/content.php?cid=10427
Does anyone have any templates and…
Epoch Win
- 922
- 2
- 7
- 14
5
votes
2 answers
Bug bar in the Microsoft SDLC
The Microsoft SDLC model decomposed the requirement phase into different practices, one of which is creating quality gates/ bug bar, where each identified bug should be classified into client or server bugs. Could you please explain to me what is…
user3011084
- 529
- 1
- 3
- 8
4
votes
2 answers
Connection between "Security Requirements Engineering", "Risk Analysis" and "Threat Modeling"
I am trying to figure out how the above concepts fit in together.
As i understood it Security Requirements Engineering (SRE), Risk Analysis (RA) and Threat Modeling (TM) are methods that ultimately allow an Information System to come closer to the…
daniel f.
- 281
- 1
- 6
4
votes
2 answers
What are the key elements of a good security requirement?
What does a good security requirement for an application look like? I am talking about functional as well as non-functional security requirements here.
For traceability reasons I consider it important that the requirement is fully testable. I also…
Demento
- 7,249
- 5
- 36
- 45
3
votes
3 answers
Is it necessary to protect user data if they know and agree to it being insecure?
If I'm running a website that, say, takes a survey, must I protect user data from disclosure if the users are informed initially that it's insecure? I'm not storing financial data or social security numbers, just opinions, (user)names and e-mails.
Moshe
- 1,721
- 3
- 16
- 22
3
votes
1 answer
MSTG-ARCH-7: All security controls have a centralized implementation
In the OWASP Mobile Application Security Checklist there is a requirement MSTG-ARCH-7 which reads: "All security controls have a centralized implementation".
Now I'm struggling a bit by what is meant with "centralized implementation" in this…
2
votes
2 answers
Design of a state machine model to solve conflict of interest in Computer Security
I need to design a state machine model to solve conflict of interest in computer security. [I know Chinese wall model but it is an information flow model]
Are there any such existing models?
Any reason as to why we cannot design it as a state…
Chamz Des
- 23
- 2
1
vote
0 answers
what security features a good Email Service Provider (for marketing) should have?
To choose the right Email Service Provider (ESP) for e-mail marketing processes, what are security requirements and checklists that we should pay attention to and ask for from vendors?
In other words, what are security risks in an ESP…
Goli E
- 895
- 1
- 11
- 20
1
vote
1 answer
VPN Access to PCI Environment Edge Devices
Does it violate PCI DSS requirements to provide a third party company with a Site-to-Site VPN connection for full management (SSH & HTTPS) access to network security equipment (such as a Web Application Firewall) that protects data in a PCI…
mkeenan
- 11
- 1
0
votes
3 answers
Does semi-sensitive information demand encryption / security?
Since it's been requested that this question be rewritten:
Is SSL (or some other encryption equivalent) required in the below case? From a small local business website, is there any damage that an attacker can do with semi-sensitive customer…
souldzin
- 151
- 6