70 likes | 242 Vues
The Elusive Art of Gathering Security Requirements. The Need. “Gathering security requirements is one of the more undeveloped and misunderstood areas of requirements gathering.” [Haley] “Most security issues have come to lie in software as opposed to IT attacks.” [Lamsweerde]
 
                
                E N D
The Need • “Gathering security requirements is one of the more undeveloped and misunderstood areas of requirements gathering.” [Haley] • “Most security issues have come to lie in software as opposed to IT attacks.” [Lamsweerde] • MS Response Center estimates a base cost of $100,000 for addressing security related software defects. [Howard]
We Have Software ?!? • Physical security – Safes, Locks, Identification badges, guards, etc • Network/Computer security – Virus Protection, Firewalls, User Accounts and rights, etc • Software – Did you have to login?
The Waiting Game • We have to identify the threats (usually wait for an attack to occur) before we can address them. • New software engineering technologies and techniques introduce new threats.
Domain expertise • Doesn’t tend to include security. • Security requirements are usually non-functional. • Most MBAs, MDs, Accountants, or other procurers have little to no knowledge of potential security threats.
Anti-Goals: Food for Thought You are not the software engineer. You’re the attacker.
In the year 2000!!!! • The need will grow as software becomes more integrated in our society • The best approaches we have to date primarily consist of human brainstorming, experience and knowledge. This will probably continue.