I'm giving a talk at the OWASP AppSec Europe talk in Trinity College, Dublin, Ireland on Friday June 10th at 11:10. It's part of the Prevent track.
The talk is aimed at developers (or builders as OWASP calls them). At the start of a development project you should think a bit about security. In the presentation I will go down through a simple structured list of security tasks that you should do in order to gather the security requirements that the project should implement.
If you spend a few hours thinking about security early on, you could save yourself a whole lot of problems later on. A workshop with the relevant people is a suitable format for this. The list of tasks which the presentation outlines can form the basis for this security workshop.
In fact, you can use the list of tasks as the agenda for the workshop.
A fictitious website which processes personal information (as defined by EU Data Protection Legislation) will be used as an example.
|Even QEII likes the list
- Data Classification
- Simple Threat Analysis
- Data Flow Diagram
- User LifeCycle/Authentication etc.
- Segregation of Duties
- Audit Trail
- Data Retention
- Other Compliance Issues
If you spend a few hours at the start of a project going through this list, you will have a good idea of your security requirements and what you need to do. It is much better than trying to do this at the end.
This is what I will try to get across in this talk. So if you are on the development side of the house and you are interested in a simple approach to specifying your security requirements then do come along to the talk. It will be an XSS-free zone!
The security list is based on Section 2 of the SDLC Quick Reference