A few years ago I was brought in to help with security for a project at a large retailer in the UK. They were building out some web APIs that listed which products a customer might want to buy, based on previous orders they’d made. One of the first questions I asked was “How are we managing GDPR requirements?”. A look of concern came across everyone’s faces. The team had done a lot of work on setting up functional requirements and tests but didn’t know security and regulatory requirements were a thing. A couple weeks of rejigging the architecture and a few late nights later, the API was updated to include “right to be forgotten” functionality.
This was hard evidence that the “shift left” mantra that security folks have been banging on about has some merit. Those late nights could have been avoided if we included security in the requirements phase of software development. Yes, that includes Agile!
The goal here is to identify risks early and embed security requirements into the project from the very start.
Whether you use Scrum, Kanban, Waterfall, something else… it doesn’t matter. They all have steps where security requirements can be injected early on in the software development lifecycle.
Examples of security requirements:
| ID | Requirements |
|---|---|
| R1 | All requests to the API must be authenticated. Unauthenticated requests will be redirected to the login page. |
| R2 | Each API method must restrict access only to users who require access for their job role. |
| R3 | All traffic to and from the app must be over TLS 1.2. |
| R4 | There must be a mechanism to permanently delete PII data from the database. |
| R5 | Every login/logout event must be sent to the SIEM. |
It’s difficult to know if your security controls are working unless you test them. One thing I like to do is write my requirements so that they can be tested programmatically. For the requirements above, the associated tests might look like this:
| ID | Security Tests |
|---|---|
| T1 | Send an unauthenticated HTTP GET or POST request to the endpoint, and test for an ‘unauthenticated’ response code. |
| T2 | Test access with each role to each API method, according to the access control table. |
| T3 | Test that only port 443 is listening, and then test the available TLS ciphers on 443. |
| T4 | Submit PII in to the fields that accept PII, perform the delete action, then search the database for the relevant PII to check if it’s still there. |
| T5 | Intitiate login and logout events, and then - using the SIEM’s API - checked in the SIEM |
If you can’t measure it, you can’t manage it
In addition to testing your security controls against the requirements, we also need to understand what success looks like. It helps to set quantifiable goals during this phase of the SSDLC, so everyone knows what to work towards.
Some examples of success metrics:
Metrics like these will guide the team throughout development and act as criteria for release approval.
By the end of this phase, you should have:
Skipping or rushing security requirements phase can turn a development sprint into a marathon of security fixes later on. Bake security in from the start!
I’m Gene. I use my software engineering and red team experience to drive security uplift initiatives. Most recently I led the offensive …
More
Everyone? I’m not so sure… Imagine the early 2000s… Britney Spears is playing on …
This Attack Model maps potential attack vectors in …
STRIDE has not aged well… I’ve seen first-hand the …
Let me tell you a story… A few years ago, I was …
The news of Hezbollah agents being targeted with …