Security specifications are a vital component of all software project requirements. The specification needs to be based upon the agreed security policies.
The information security specification needs to address all the potential inputs, outputs and assets required for the operation of the web system. These can be identified through formalised security models and risk assessments, through analysis of other requirements and documentation and by reviewing legal and other compliance requirements.
Security specification requirements
The following types of issue should be addressed:
- system availability
- data identification and classification
- session management schema, including log out mechanisms
- authentication schema
- authorisation schema
- input validation functions
- choice of encryption protocols and how these are to be applied
- data exchange standards, and where appropriate, data exchange encryption
- network, hardware and operating system
- load balancing, failover, replication and standby systems
- installation and configuration
- operation controls including back-ups and recovery
- monitoring, logging and auditing
Each area will be highly dependent upon the other application requirements, installation environment, sensitivity of data and types of users. For example, in considering the session management scheme, the user topography, data classifications, number of concurrent sessions, the inactivity timeout, the active timeout, fixing sessions to IP address, user experience level, single sign-on/automated sign-on and 'remember me' functions would be included in the types of issues to be considered.
Web security services from Watson Hall
Information security policies, standards and procedures, web site and web application
security assessments and audit
security design and review.
Contact Watson Hall
Contact Watson Hall to discuss how we can help develop a security specification for your web site or web application.