Application 3 Identifying and Fixing Security Weaknesses
There are many facets of the secure application development process. The right set of security functional requirements has to be identified along with more qualitative nonfunctional security characteristics, such as reliability. Then those requirements have to be embodied in a provably correct design and finally coded using secure coding practices. Meanwhile, the evolving product has to be assured in-stream by unit tests that then prove to satisfy the assurance case using acceptance testing methods and novel assurance measures, such as penetration tests.
The whole process starts with getting the right set of security requirements, which is what you will focus on in this assignment. While it is true that all other aspects of secure development are important, if the initial requirement set is incorrect the product will be incorrect, no matter how many best practices were involved in the preparation process.
To begin the Application:
Read about the Software Engineering Institute's SQUARE-Lite security requirements elicitation method found in the SQUARE-Lite: Case Study on VADSoft Project (see attached pdf). Choose one of AAG's Revenue Acquisition Management (RAM) system applications as described in the AAG model case (see attached pdf). Apply the SQUARE-Lite methodology to assess the risks and threats for the application you chose.
Using the templates provided in the SQUARE-Lite document, develop:
•A risk and threat list (with at least five risks for your application) as shown in section 2.1.3
•A risk matrix as shown in section 2.2
•A risk rank list as shown in section 2.2.3
Then, using your risk and threat assessment, write a 1- to 2-page paper in which you develop one security functional requirement for the RAM application based on your risk and threat assessment. This requirement should be practically implementable and should achieve the security objective it was meant to address. Your paper should justify your functional requirement by explaining how it addresses the threats and risks you have identified. Include your risk list, risk matrix and risk rank list as appendices to your paper.
Remember to properly cite your sources according to APA guidelines.