If you have an application, you might be asking yourself questions such as: How do I make my application more secure? Where do I get security requirements from? Why do I need them?
In this post, we’re going to explore that further.
What are Security Requirements?
Security requirements describe what is expected of a system and how it should function. Security requirements define what assurance criteria should be built into the system in order to provide the right level of protection for the kinds of data and functionality that the system provides.
Where Do You Find Security Requirements?
Where do you find security requirements, how do you get them, and where do they come from?
The good news is that OWASP has a document called the Application Security Verification Standard (ASVS) that provides close to 300 controls related to security.
Now, the question is: are all of them appropriate for you? Perhaps not, and that’s why ASVS groups these controls into 3 categories or into 3 levels of assurance:
Level 1 is for most applications. The moment you plug your application into the Internet, you’re going to be attacked, and you must at least have the minimum set of controls that are defined by level 1.
Level 2 is for when your application handles data such as personally identifiable information or performing small transactions. In fact, most applications fall under this category.
Level 3 is for applications that handle sensitive medical data, high value transactions, or require the highest levels of assurance.
At Forward Security, we use ASVS every day to perform our testing and you should also use it to build secure applications.