Establishing Security Requirements

The importance of security requirements for application development is known to all. An unclear or wrong demand will undermine the efficiency of follow-up development, and even bring about the risk of application failing to meet actual requirements. In addition, an application is usually required to meet not only business requirements, but also various non-functional requirements, including security requirements. Therefore, before the formal development of application, it is very necessary to specify security requirements, to identify security risks of the entire project and prepare for solutions as early as possible.

The follows shall be considered before analyzing and establishing security requirements:

• What security obligations shall be undertaken?
  What laws and regulations on applications need to be observed? For example, laws concerning personal privacy protection and intellectual property protection. What industry safety norms, such as PCI DSS and SOX, shall be followed? Is there any internal security policy of an enterprise shall be followed?
• What important assets need to be protected?
  With important assets worthy of protection identified, the defense can be more accurately targeted. Here are some typical important assets: business data, personal privacy data of users, core business algorithm, intellectual property, corporate reputation, etc.
• What are the consequences of major security accident?
  Although we don't want to see security accidents, it is worth to take into consideration the worst case in establishing security requirements. For this purpose, we can first assume that a major security accident happened, and then analyze the case, to predict its possible consequences and establish defensive measures and emergency plans accordingly.
• Who are potential opponents?
  As the saying goes “Know yourself and know your enemy, you will win every war.” In order to establish more comprehensive security requirements, and achieve better defense and protection effects, it is necessary to identify the potential opponents. Generally speaking, an attacker may be a malicious commercial competitor, hacker from criminal gang, insider or partner.