Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.
Establish secure development policies by identifying and documenting security requirements for all internally developed software. This includes risk-based architecture, design practices, and guidelines for technology stack analysis, software archiving, end-of-life notifications, and exception handling. Such practices reinforce secure-by-design principles and ensure software is built with a strong security foundation.
Standardize and integrate security requirements into development processes by systematically gathering inputs from diverse sources, including organizational policies, legislative requirements, application feedback, vulnerability metrics, and historical logs. Conduct brainstorming sessions, interviews, or workshops to identify requirements, and use structured notations that align security requirements with functional requirements for the project. Extend existing analysis documents, user stories, or other requirement specifications to include security requirements and ensure their integration into the product development lifecycle. Establish mechanisms to enforce compliance with security requirements by annotating them with priorities or integrating them into project governance. Balance these security needs against other non-functional requirements to maintain alignment with the organization's security appetite. This approach ensures that security requirements are consistently addressed, enhancing the software's resilience and alignment with secure-by-design principles.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-02-01-01 | Elicit security requirements from multiple sources | Collect security requirements systematically from policies, regulations, known application issues, and intelligence (e.g., metrics, historical logs, vulnerability databases). | Preparation | Security team, Compliance team, Development leads |
| SSS-02-01-02-01-02 | Organize stakeholder workshops and interviews | Conduct workshops, brainstorming sessions, or interviews with stakeholders to gather inputs from diverse sources, such as policies, laws, and operational needs. | Preparation | Security team, Product owners, Compliance officers |
| SSS-02-01-02-01-03 | Standardize security requirements documentation | Use a structured format (e.g., extending functional requirements documents, writing user stories) to document security requirements in a way that integrates with project workflows. | Development | Development teams, Security team, Product owners |
| SSS-02-01-02-01-04 | Prioritize and annotate security requirements | Assign priorities to security requirements and align them with the project's security appetite, balancing functional and non-functional requirements. | Development | Security team, Product managers |
| SSS-02-01-02-01-05 | Monitor and enforce compliance | Set up a process or tool to monitor and enforce compliance with security requirements during product development and testing, ensuring alignment with security objectives. | Deployment | DevOps team, QA team, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PO.1.2) OWASP SAMM: Software Assurance Maturity Model (D-SR-2-A) |