您的位置：首页 > 编程语言 > ASP

IT 项目的安全需求（一）— CLASP

2017-11-21 13:33 267 查看

IT项目需求中的有一项重要的需求就是安全需求，怎样制定安全需求，我会分两篇文章介绍两种通用的安全需求框架

第一种是CLASP

CLASP (Comprehensive, Lightweight Application Security Process) 提供一种组织良好的、结构化的方法，在软件开发生命周期的早期阶段进行安全需求的制定。

CLASP实际上是一组可以集成到任何软件开发过程中的项目活动。它被设计成既有效又容易采用。它提供了一些规定性的方法，活动，大量的安全资源，都可以是否有效的帮助我们在项目种开展这些活动。

下面这个表就是CLASP中描述的活动：

CLASP Best Practices	CLASP Activities	Related Project Roles
1. Institute awareness programs	Institute security awareness program	Project manager
2. Perform application assessments	Perform security analysis of system requirements and design (threat modeling)	Security auditor
Perform source-level security review	Owner: security auditor Key contributor: implementer, designer
Identify, implement, and perform security tests	Test analyst
Verify security attributes of resources	Tester
Research and assess security posture of technology solutions	Owner: designer Key contributor: component vendor
3. Capture security requirements	Identify global security policy	Requirements specifier
Identify resources and trust boundaries	Owner: architect Key contributor: requirements specifier
Identify user roles and resource capabilities	Owner: architect Key contributor: requirements specifier
Specify operational environment	Owner: requirements specifier Key contributor: architect
Detail misuse cases	Owner: requirements specifier Key contributor: stakeholder
Identify at 4000 tack surface	Designer
Document security-relevant requirements	Owner: requirements specifier Key contributor: architect
4. Implement secure development practices	Apply security principles to design	Designer
Annotate class designs with security properties	Designer
Implement and elaborate resource policies and security technologies	Implementer
Implement interface contracts	Implementer
Integrate security analysis into source management process	Integrator
Perform code signing	Integrator
5. Build vulnerability remediation procedures	Manage security issue disclosure process	Owner: project manager Key contributor: designer
Address reported security issues	Owner: designer Fault reporter
6. Define and monitor metrics	Monitor security metrics	Project manager
7. Publish operational security guidelines	Specify database security configuration	Database designer
Build operational security guide	Owner: integrator Key contributor: designer, architect, implementer

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签： CIO 需求 BA 企业项目管理

相关文章推荐

新的分享

章节导航