IT 项目的安全需求(一)— CLASP
来源:互联网 发布:在淘宝上买微星笔记本 编辑:程序博客网 时间:2024/05/21 01:55
IT项目需求中的有一项重要的需求就是安全需求,怎样制定安全需求,我会分两篇文章介绍两种通用的安全需求框架
第一种是CLASP
CLASP (Comprehensive, Lightweight Application Security Process) 提供一种组织良好的、结构化的方法,在软件开发生命周期的早期阶段进行安全需求的制定。
CLASP实际上是一组可以集成到任何软件开发过程中的项目活动。它被设计成既有效又容易采用。它提供了一些规定性的方法,活动,大量的安全资源,都可以是否有效的帮助我们在项目种开展这些活动。
下面这个表就是CLASP中描述的活动:
CLASP Best Practices
CLASP Activities
Related Project Roles
1. Institute awareness programs
Institute security awareness program
Project manager
2. Perform application assessments
Perform security analysis of system requirements and design (threat modeling)
Security auditor
Perform source-level security review
Owner: security auditor
Key contributor: implementer, designer
Identify, implement, and perform security tests
Test analyst
Verify security attributes of resources
Tester
Research and assess security posture of technology solutions
Owner: designer
Key contributor: component vendor
3. Capture security requirements
Identify global security policy
Requirements specifier
Identify resources and trust boundaries
Owner: architect
Key contributor: requirements specifier
Identify user roles and resource capabilities
Owner: architect
Key contributor: requirements specifier
Specify operational environment
Owner: requirements specifier
Key contributor: architect
Detail misuse cases
Owner: requirements specifier
Key contributor: stakeholder
Identify attack surface
Designer
Document security-relevant requirements
Owner: requirements specifier
Key contributor: architect
4. Implement secure development practices
Apply security principles to design
Designer
Annotate class designs with security properties
Designer
Implement and elaborate resource policies and security technologies
Implementer
Implement interface contracts
Implementer
Integrate security analysis into source management process
Integrator
Perform code signing
Integrator
5. Build vulnerability remediation procedures
Manage security issue disclosure process
Owner: project manager
Key contributor: designer
Address reported security issues
Owner: designer
Fault reporter
6. Define and monitor metrics
Monitor security metrics
Project manager
7. Publish operational security guidelines
Specify database security configuration
Database designer
Build operational security guide
Owner: integrator
Key contributor: designer, architect, implementer
- IT 项目的安全需求(一)— CLASP
- IT项目的安全需求(二)— SQUARE
- DRP项目(一)----需求的重要性
- 如何进行IT项目的需求调研?
- 如何进行IT项目的需求调研
- 为什么你的项目总是做不好?——需求篇(一)
- IT项目中如何更好的控制客户需求
- 如何做好IT项目管理的需求管理。
- 如何做好IT项目管理的需求管理
- 如何做好IT项目管理的需求管理
- IT项目中客户需求定义的原则和方法
- 我对IT项目需求发掘的一些思考
- 项目需求该怎么做(一)
- JAVAWEB项目--模拟考试系统需求(一)
- 群件的(强)安全需求
- Node博客项目系列(一)项目需求的分析
- 实现从“环信”下载聊天记录,显示在本地项目页面的功能(一)—— 功能需求介绍
- IT项目需求获取和管理
- C/C++ volatile
- js new关键字详解
- scala安装配置
- 匠牛社区AM5728视频loopback实例
- G1 Garbage Collector
- IT 项目的安全需求(一)— CLASP
- Notepad++ 64位 Jsonviewer Compareplugin 安装
- 滑轮滑动+小圆点触发全屏上下滚动并实现不同浏览器窗口下的缩放
- Maven之Tomcat
- codeforces 894B
- Python+Selenium定位不到元素原因及解决方法(报:NoSuchElementException)
- 鼠标拖动改变div容器的大小
- 明年iPhone或支持双卡双待;刘强东:若十年后还是BAT,对国家是种不幸|ServiceHot一周热闻
- 使用阻塞队列爬取代理ip实现爬虫
