OWASP Top Ten Proactive Controls 2018 | C1: Define Security Requirements

Overview

This article discusses the importance of defining security requirements in software development and provides guidelines for implementing secure features. It introduces the OWASP ASVS as a catalog of security requirements and highlights the use of user stories and misuse cases to expand upon these requirements. The implementation process and the role of testing in confirming the correct implementation of security features are also explained. The article emphasizes that incorporating security requirements from the beginning of the software development lifecycle helps prevent vulnerabilities.

Description

A security requirement is a statement of needed security functionality that ensures one of many different security properties of software is being satisfied. Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities. This article explains the importance of defining security requirements and provides insights into the implementation process.

How to Prevent ?

To prevent security breaches, it is crucial to define security requirements during the software development process. Developers can refer to industry standards like the OWASP ASVS to identify applicable security controls and best practices. User stories and misuse cases can be used to expand and clarify the requirements. The implementation of security features should be documented, tested, and confirmed to ensure correct functionality.

Example Attack Scenarios:

• Default Passwords:  One example attack scenario is when default passwords are not properly addressed in an application. Attackers can exploit default passwords to gain unauthorized access. To prevent this, developers must verify and eliminate any default passwords in use within the application or its components.