Training Course Outline: Gathering and Documenting Web Application Security Requirements

Description

Business Analysts are being called upon as never before to include functional and non-functional security requirements in their Requirements specifications. Writing Security Requirements for web applications is not intuitive and to be effective you need to provide the additional information that developers need to create robust applications. This course provides the insights you need to augment Requirements specifications with practical information that will facilitate the creation of secure sites.

Audience

Experienced Business Analysts who wish to produce comprehensive and concise Security Requirements for their web applications.  Development teams that want to build secure applications from the beginning.

Duration

1 Day

Objectives

  • Be familiar with the Secure Software Development Lifecycle
  • Understand what developers need to know to produce secure features
  • Understand what Use Cases are and their value in specifying Security Requirements
  • Be prepared to address Authentication in Security Requirements
  • Be prepared to address role-based Access Control in Security Requirements
  • Be prepared to address secure I/O in Security Requirements
  • Be prepared to address secure data handling in Security Requirements
  • Be prepared to address secure Session management in Security Requirements

Setup

  • None

Text

  • Course Workbook

Prerequisites

  • A solid understanding of web application Requirements gathering and documentation

Outline

Topic 1:     Introduction

  • Welcome
  • Motivation
  • Course Objectives
  • Course Overview
  • The Software Development Lifecycle (SDLC)
  • Security in the SDLC
  • The Importance of Security Requirements
  • Application Security in Context
  • Lab Exercise: Requiring Security
  • Quiz

Topic 2:     Requirements Gathering

  • Purpose, Process, Deliverables
  • Who Gathers Requirements ?
  • Types Of Requirements
  • Requirements Outline Template
  • Information Gathering Techniques
  • Effective Communication
  • Active Listening
  • Facilitating Requirements Sessions
  • Requirements Verification
  • Facilitating Requirements Reviews
  • Errors. Messages, and Logging
  • Lab Exercise: Planning Requirements Gathering
  • Quiz

Topic 3:     Security Requirements

  • Authentication
  • Protecting Sensitive Information
  • Role-based Access Control
  • Secure I/O
  • Form Considerations
  • Recognizing and Responding to Attack
  • Session Management
  • Lab Exercise: Documenting Security Requirements
  • Quiz

Topic 4:     Overview of Use Case Analysis

  • Use Cases As Actor/Goals Lists
  • Identifying Actors
  • Documenting Objectives
  • Preconditions, Guarantees, and Triggers
  • Use Case Prioritization
  • Actors/Goals List
  • Lab Exercise: Documenting Actors and Goals
  • Quiz
  • Use Cases As Narratives
  • Use Case Narratives
  • Primary Scenario
  • Scenario Steps
  • Alternative Scenarios
  • Exception Scenarios
  • Sequence Numbering
  • Use Case Example
  • When Are We Done ?
  • Lab Exercise: Documenting Use Case Narratives
  • Quiz

Topic 5:     Authentication

  • Users, Roles, and Accounts
  • Certificate-based Authentication
  • Single vs. Multi-Factor Authentication
  • Password Strength
  • Password Reset
  • Security Questions
  • Re-authentication
  • Lab Exercise: Who Are You ?
  • Quiz

Topic 6:     Protecting Sensitive Information

  • Defining Sensitive Information
  • Protection at Rest
  • Protection in Transit
  • In Memory Handling
  • Data Masking
  • Logging and Other Output
  • Lab Exercise: Data Masking at Home
  • Quiz

Topic 7:     Role-based Access Control

  • Users, Roles, and Accounts
  • Principle of Least Privilege
  • Enforcing Navigation
  • Maintaining State
  • Protecting Critical Transactions
  • Dynamic Control Management
  • Dynamic Permissions Management
  • Lab Exercise: Role Play
  • Quiz

Topic 8:     Secure I/O

  • Trust Zones
  • What is Untrusted Input ?
  • Validating Untrusted Input
  • Data Meta-Data
  • Users, Roles, and Accounts
  • Secure File Handling
  • Handling Filenames and Directories
  • Handling URLs
  • Denial of Service Considerations
  • Lab Exercise: File Upload
  • Quiz

Topic 9:     Form Considerations

  • How HTTP Works
  • GET vs. POST
  • Request Parameters
  • Cookies
  • Field-Level Validation
  • Cross-Field Validation
  • Parameter Meta-data
  • Client-Side and Server-Side Validation
  • Detecting Automation
  • Avoiding Multiple Submission
  • Client Side Validation
  • Lab Exercise: Design a Form
  • Quiz

Topic 10:     Data Handling

  • What is an Injection Attack ?
  • Encoding to Prevent Injection
  • Avoiding Denial of Service
  • Lab Exercise:
  • Quiz

Topic 11:     Session Management

  • What is a Session ?
  • Session Tracking
  • The Session Lifecyle
  • Lab Exercise:
  • Quiz

Appendix     Quiz Answers