When performing a software requirements analysis, a software developer safety requirements need to be defined. applied to the developed software. Definition and documentation of safety requirements for software are implemented when performing software requirements analysis for their further use in software life cycle processes, related to the design, implementation and testing of software, with in order to prevent the appearance of program vulnerabilities. It is customary to distinguish the following types of security requirements, applied to the software:
– safety functional requirements describing actions that the software must perform in order to neutralize information security threats;
– non-functional requirements describing the properties and software parameters related to threat mitigation information security.
As a rule, a description of the functional requirements for security is performed in terms of input and output data programs. As an example of a functional requirement for security, you can bring the requirement to implement identification and authentication of the user, described with using input data (for example, passed user id and password) and output (for example, a message given to the user, or an entry in event log) of the program. An example non-functional security requirement may be the requirement for how the program stores information, used for identification and authentication users, or log format requirement events.
Typical actions performed in preparation for implementing a measure to develop secure software ensure
In preparation for the implementation of a measure to develop a safe The software developer needs to:
a) investigate the software developer’s existing processes in boundaries of the scope of measures to develop a safe software related to the analysis of software requirements;
b) select and install in the software development environment tools for implementing measures to development of secure software, taking into account the recommendations, presented in Appendix B;
c) determine the procedure for collecting information about the area application of the developed software and the type of processed information, taking into account the need to perform the following typical actions:
1) identify market segments, industry directions and/or security classes of information systems, in which it is planned to use the developed software;
2) identify use cases being developed ON;
3) determine what data should be processed developed software (for example, information containing information constituting a state secret, personal data, data constituting banking secret) and how they are processed (for example, creating, storage, transfer);
4) determine the characteristics of the intended environment operation of the software, including elements of the environment operation of the software with which it must be integrated (jointly function) developed software;
d) determine the order of preliminary analysis potential information security threats (optional — see 5.2.1) as needed performing the following typical actions:
1) identify potential security threats information, the neutralization of which should ensure the software being developed and (or) the environment for its operation;
2) make assumptions about the operating environment of the software, related to information security;
e) determine how protection objectives are identified information, the achievement of which should be ensured developed software. The objectives of information security are formulated taking into account identified threats to information security and assumptions about software operating environment. Information security objectives should be formulated in terms of confidentiality, integrity and availability. In addition, they may goals such as ensuring non-repudiation, accountability, monitoring capabilities, etc.
f) determine the procedure for documenting requirements for security requirements for the developed software. To form safety requirements, requirements for software, it is recommended to use laws, regulatory legal acts, methodological documents and industry standards, regulating the scope and relevant to developed software, and best practices in the development of secure ON. Documented safety requirements for developed software must be unambiguous, feasible (technically realizable) and verifiable (testable). For documenting security requirements, it is recommended to use security requirements templates created by the software developer (when availability). Inclusion of safety requirements in the list of requirements, imposed on software, and prioritization of their implementation should be to be carried out taking into account resource constraints, time constraints and assessment of economic feasibility.
g) determine the procedure for approval and approval security requirements for software, taking into account the need to perform the following typical actions:
1) determine the list of interested parties, coordinating the formulated requirements for security requirements for software;
2) submit formulated requirements for security for approval by interested parties;
3) if necessary, clarify the nomenclature and formulation of safety requirements, taking into account comments and suggestions received during the coordination requirements;
4) submit formulated requirements for security for the approval of the responsible employee software developer
h) define a procedure for periodic review, and revision of the safety requirements for software, taking into account the need to perform the following typical actions:
1) determine the events upon the occurrence of which analysis and revision of requirements for security requirements for software;
2) analyze, revise and refine the requirements for security requirements for software in the event of events;
3) agree and approve the amended requirements for security requirements for software (when adding changes). Examples of events upon the occurrence of which analysis and revision of the safety requirements for to the software may be:
– identification of program vulnerabilities;
– the emergence of new types of information security threats that have attitude to the developed software;
– changes in the provisions of laws, regulatory legal acts, methodological documents, industry standards and methodological recommendations related to the developed software.
i) define the general structure of the process of determining safety requirements for developed software, including a general list of procedures and actions, recorded results, start time and time frames for procedures and actions;
j) appoint employees responsible for the implementation of the measure on the development of secure software (taking into account the recommendations 188.8.131.52), familiarize them with the documentation related to implementing a measure to develop secure software.
Typical actions performed when implementing a measure for developing secure software
When implementing a measure to develop secure software The software developer needs:
a) collect information about the scope the software being developed and the type of information being processed;
b) taking into account the information received, perform preliminary analysis of potential security threats information;
c) identify the objectives of information security, achievement which should be provided by the developed software;
d) formulate and document requirements for security requirements for the developed software;
e) agree and approve the safety requirements, applied to the software;
e) review and revise requirements periodically security requirements for software.