Creating Software Security Requirements

Table of Contents
Course Overview and Objectives ............................................................................................................................ 3
Software Security Requirements ............................................................................................................................ 5
Know Your Exposure ................................................................................................................................................ 7
Know the Risks .......................................................................................................................................................... 9
Security Mechanisms.............................................................................................................................................. 11
Regulatory Compliance.......................................................................................................................................... 13
Customer Security Requirements ......................................................................................................................... 15
Writing Security Requirements ............................................................................................................................. 16
Interactive Knowledge Check................................................................................................................................ 18
Course Summary..................................................................................................................................................... 19
Thank You ................................................................................................................................................................ 20

Page 1 of 20
Creating Software Security Requirements

Narration
On screen text

COD 103
Creating Software Security Requirements

Page 2 of 20
Creating Software Security Requirements

Course Overview and Objectives

Narration

This course is designed for NICE Workforce roles Software Developer (SP-DEV-001) and Secure Software
Assessor (SP-DEV-002). The objectives of this course align with OWASP API Security Top 10 and the
NIST Cybersecurity Framework.
On successful completion of this course, learners should have the knowledge and skills required to:
Understand how to develop security requirements, by considering common exposures, risks, and
security mechanisms.
Ensure that your written security requirements address regulatory compliance as well as customer needs
and implement industry best practices.

On screen text

Course Overview and Objectives

This course is designed for NICE Workforce roles Software Developer (SP-DEV-001) and Secure Software
Assessor (SP-DEV-002). The objectives of this course align with OWASP API Security Top 10 and the
NIST Cybersecurity Framework.

Page 3 of 20
Creating Software Security Requirements

On successful completion of this course, learners should have the knowledge and skills required to:
• Understand how to develop security requirements, by considering common exposures, risks, and
security mechanisms
• Ensure that your written security requirements address regulatory compliance as well as
customer needs and implement industry best practices

Page 4 of 20
Creating Software Security Requirements

Software Security Requirements

Narration
Every software application has requirements. Formalized or not, they drive the design, architecture, and
behavior of the application. Security too has requirements. To avoid compromise, an application must
operate within the constraints established through security requirements. In the requirements phase of
the software development lifecycle, development teams must determine the security objectives for their
software, taking into consideration business, customer, compliance, and other requirements. The aim is
to create a secure foundation for the entire development and deployment process. Security objectives
are the goals you wish to achieve for your application’s security. These goals should be the guiding
principles for every step in the threat modeling process. The primary security goals for any application
begin with the principles of confidentiality, integrity, and availability.

On screen text

Software Security Requirements

In the requirements phase of the software development lifecycle, development teams must determine
the security objectives for their software
Business

Page 5 of 20
Creating Software Security Requirements

Customer
Compliance
Security objectives are the goals you wish to achieve for your application’s security.
Confidentiality
Integrity
Availability

Page 6 of 20
Creating Software Security Requirements

Know Your Exposure

Narration
The first step in establishing security requirements is to understand your application’s exposure. This
means modeling the application to answer questions such as:
What technologies will the application use?
What assets and resources will be in use?
What sensitive data will the application store?
What user roles will exist on the system?
How will the different components communicate?
What will the network topology look like?
What are the primary usage scenarios?
How will the application be deployed?

On screen text

Know Your Exposure

Page 7 of 20
Creating Software Security Requirements

• What technologies will the application use?

• What assets and resources will be in use?
• What sensitive data will the application store?
• What user roles will exist on the system?
• How will the different components communicate?
• What will the network topology look like?
• What are the primary usage scenarios?
• How will the application be deployed?

Page 8 of 20
Creating Software Security Requirements

Know the Risks

Narration
With a knowledge of the application’s exposure, the next step is to assess the risks.
Risk assessments take into account potential threats, actual vulnerabilities, likelihood of exploiting, and
impact to information systems. Risk assessments also consider risks associated with external parties,
such as service providers and contractors.
The initial risk assessment helps you to identify threats and classes of attacks that might lead to
compromise or otherwise affect your application’s security. This should involve application architects,
security professionals, developers, testers, system administrators, and anyone else involved in the
application lifecycle.
In developing the risk assessment, some things to consider are:
Threats common to any application
Threats unique to your application
Threats to data both at rest and in transit
Threats to user authentication and authorization

On screen text

Page 9 of 20
Creating Software Security Requirements

Know the Risks

With a knowledge of the application’s exposure, the next step is to assess the risks.
Potential threats
Actual vulnerabilities
Likelihood of exploiting
Impact
External parties
APPLICATION
THREATS
• Threats common to any application
• Threats unique to your application
• Threats to data both at rest and in transit
• Threats to user authentication and authorization

Page 10 of 20
Creating Software Security Requirements

Security Mechanisms

Narration
As you develop security requirements, include coverage of the application's security mechanisms. The
most common security mechanisms are:
Input and data validation
Authentication
Authorization
Session management
Sensitive data handling
Cryptography
Key management
Auditing and logging
Exception management
And third-party components

On screen text

Page 11 of 20
Creating Software Security Requirements

Security Mechanisms

• Input and data validation

• Authentication
• Authorization
• Session management
• Sensitive data handling

• Cryptography
• Key management
• Auditing and logging
• Exception management
• Third-party components

Page 12 of 20
Creating Software Security Requirements

Regulatory Compliance

Narration
When it comes to application security, there may already be security policies and standards in place that
developers must consider. Besides these, you should also consider any applicable national, international,
local, and industry-specific regulations. Depending on the application, there may be strict requirements,
guidelines, or general best practices to follow. For example, is your application going to work with
financial transactions, handle personal data, or store sensitive health care information? Will there be
users from the US, European Union, or other countries? Legislation can affect requirements for
encryption algorithms, storing private data, or handling financial transactions. While there are many
hundreds of different standards worldwide, some of the most common are
Sarbanes Oxley (SOX) - Implemented in the wake of the Enron disaster, this law imposes severe
penalties on publicly traded companies for exposing or falsifying financial data
Gramm-Leach Bliley Act (GLBA) - This law includes provisions to protect consumers’ personal financial
information held by financial institutions and imposes rules on safeguards.
General Data Protection Regulation (GDPR) - These requirements apply to each member state of the
European Union, aiming to create more consistent protection of consumer and personal data across EU
nations.
Health Insurance Portability and Accountability Act (HIPAA) - These impose guidelines and requirements
for the security and privacy of healthcare information.

Page 13 of 20
Creating Software Security Requirements

Payment Card Industry Data Security Standard (PCI-DSS) - These are a comprehensive set of
requirements for secure handling of payment card data.
Your application might be subject to legal regulations that have specific security requirements. You may
need to consult an attorney to understand the full scope of your regulatory obligations.

On screen text

Regulatory Compliance

ORGANIZATION
POLICY
National
International
Local
Industry-specific
Will it work with financial transactions?
Will it handle personal data?
Will it store sensitive health information?
Will there be users from the US? EU? Other countries?
SOX
Sarbanes Oxley
GLBA
Gramm-Leach Bliley Act
GDPR
General Data Protection Regulation
HIPAA
Health Insurance Portability and Accountability Act
PCI-DSS
Payment Card Industry Data Security Standard

Page 14 of 20
Creating Software Security Requirements

Customer Security Requirements

Narration
In addition to organization and legal requirements, your customers might have specific security and
technical requirements that you need to understand. Often, customer-specific goals, features,
timeframe, and user experience associated with development take priority. And just as you must
consider regulatory compliance, so to must your customers with the software and services they use. Ask
key customers questions about assets and data to protect, regulatory compliance, quality of service, and
data confidentiality requirements.

On screen text

Customer Security Requirements

● Assets and data

● Regulatory compliance
● Quality of service
● Data confidentiality

Page 15 of 20
Creating Software Security Requirements

Writing Security Requirements

Narration
To have the most effective security requirements, they must be clear, consistent, measurable, and
testable.
In order to write effective security requirements, here are some questions to ask:
Is the requirement clear about its purpose and intent?
Does the requirement apply to a specific vulnerability or other threat?
Is the requirement testable and measurable?
Does the requirement align with other security requirements?
Can you map the requirement to specific regulations?
If the requirement is non-functional, is there a way to determine compliance?

On screen text

Writing Security Requirements

Is the requirement clear about its purpose and intent?

Page 16 of 20
Creating Software Security Requirements

Does the requirement apply to a specific vulnerability or other threat?

Is the requirement testable and measurable?
Does the requirement align with other security requirements?
Can you map the requirement to specific regulations?
If the requirement is non-functional, is there a way to determine compliance?

Page 17 of 20
Creating Software Security Requirements

Interactive Knowledge Check

Narration
Here are some sample security requirements. Two of them are unclear, untestable, or otherwise
unmeasurable. Click the two which should be eliminated.

On screen text

Interactive Knowledge Check

Here are some sample security requirements. Two of them are unclear, untestable, or otherwise
unmeasurable. Click the two which should be eliminated.

Applications providing remote access must be secure.

Applications must enforce minimum password lengths. - Correct
The application must produce audits for sensitive operations. - Correct
The application must protect sensitive data.
The application must validate inputs to avoid cross-site scripting attacks. - Correct

Page 18 of 20
Creating Software Security Requirements

Course Summary

Narration
In this course, you learned about creating software security requirements.
Included in the topics discussed:
Understanding how to develop security requirements, by considering common exposures, risks, and
security mechanisms.
Ensuring that your written security requirements address regulatory compliance as well as customer
needs and implement industry best practices.

On screen text

Course Summary

In this course, you learned about creating software security requirements.

Included in the topics discussed:
• Understanding how to develop security requirements, by considering common exposures, risks,
and security mechanisms
• Ensuring that your written security requirements address regulatory compliance as well as
customer needs and implement industry best practices

Page 19 of 20
Creating Software Security Requirements

Thank You

Narration
On screen text

Thank You

This concludes the Creating Software Security Requirements course. Thank you.
Click the “Take the Exam” button to proceed to the exam.

Page 20 of 20