Tips for Gathering Security Requirements of your Web Application Project

Gathering security requirements in relation with a project, sprint (if agile) is key to deliver secured applications. This is because security requirements would lead to appropriate design in relation with security. Following are key topics to consider for gathering security requirements:

1. Authentication & password management: This is mostly a one-time activity and done as the start of the project and not in every sprint. One may want to ask questions such as following in relation with authentication and password management:
   • Password policies: This is important to ask to avoid dictionary attack in relation with user credentials.
   • Password hashing: This is important to make sure password is encrypted with appropriate encryption algorithm.
   • Password reset mechanism: This is important to avoid hackers modify or intercept passwrd reset mechanism to know the users’ password.
2. Authorization & role management: Identify all the key functions and ask for who all are authorized to access those functions. This will be also help you to identify various different roles along with putting access control hooks in place. This is also listed as one of the key threat/vulnerability in OWASP top 10. In agile scrum model, this analysis could be done at the start of each sprint.
3. Audit Logging: It is good to ask and identify all of the key transactions which can be related with repudiation attacks as a result of which business could have great impacts. Consider analyzing the audit logging requirements in relation to those transactions. In agile scrum model, this analysis could be done at the start of each sprint.
4. Third party components analysis: It is important to ask or analyse if there are any third party components which are required to be used. On this basis, one analyzes the known vulnerabilities associated with these components and recommend appropriately. This is related with one of the key security vulnerabilities included in OWASP Top 10. In agile scrum model, this analysis could be done at the start of each sprint.
5. Input data validation and sanitization: It is important to ask, understand and analyze the nature of input data and, plan for data validation and sanitization. This is in relation with taking care of vulnerabilities primarily related with cross-site scripting (XSS) which is also included in OWASP Top 10. This also helps in avoiding SQL injection to great extent. In agile scrum model, this analysis could be done at the start of each sprint.
6. Cryptography and key management: This is to analyze if there are transactions that needed to be secured and needs the handshake mechanism that can be implemented using multiple techniques in relation with exchanging public-private key before processing the transactions.
7. Source code integrity: This is a one time activity and required to be done in the start of the project or 1st sprint. This ensures some of the following:
   • Source code should be stored in well secured source code control repository with strong authentication and role-based access control following the principle of “least privilege”. You may want to ask questions regarding the source code repository and related tool.
   • Also, you may want to discuss regarding source code repository tool along with protection of code  while getting developed, at rest, or in transit.
8. Source code governance: It is key to discuss the source code review strategies as it would require automated and manual code review and may impact overall timeline of the project to some extent owing to time required in code review and further action such as fixing against the review comments. This is one time activity and should be done at the start of the project or sprint one.