Security Requirements

Refer to the Software Security Lifecycle presentation for the main phases and relevant processes.

This is largely achieved through a structured risk management process that involves:

• Identifying information and related assets, plus potential threats, vulnerabilities and impacts.

• Evaluating the risks.

• Deciding how to address or treat the risks, i.e. to avoid, mitigate, share or accept them.

• Where risk mitigation is required, selecting or designing appropriate security controls and implementing them.

• Monitoring the activities, making adjustments as necessary to address any issues, changes and improvement opportunities.

Phase	Microsoft SDL	McGraw Touchpoints	SAFECode
Education and awareness	Provide training		Planning the implementation and deployment of secure development.
Project inception	Define metrics and compliance reporting. Define and use cryptography standards. Use approved tools.		Planning the implementation and deployment of secure development.
Analysis and requirements	Define security requirements. Perform threat modelling.	Abuse cases. Security requirements.	Application security control definition.
Architectural and detailed design	Establish design requirements.	Architectural risk analysis.	Design.
Implementation and testing	Perform static analysis security testing (SAST). Perform dynamic analysis security testing (DAST). Perform penetration testing. Define and use cryptography standards. Manage the risk of using third-party components.	Code review (tools) Penetration testing. Risk-based security testing.	Secure coding practices. Manage security risk inherent in the use of third-party components. Testing and validation.
Release, deployment, and support	Establish a standard incident response process.	Security operations.	Vulnerability response and disclosure.