Building security requirements with CLASP

摘要

Traditionally, security requirements have been derived in an ad hoc manner. Recently, commercial software development organizations have been looking for ways to produce effective security requirements.In this paper, we show how to build security requirements in a structured manner that is conducive to iterative refinement and, if followed properly, metrics for evaluation. While requirements specification cannot be a complete science, we provide a framework that is an obvious improvement over traditional methods that do not consider security at all.We provide an example using a simple three-tiered architecture. The methodology we document is a subset of CLASP, a set of process pieces for application security that we have recently published, in conjunction with IBM/Rational.