-
-
-
-
URL copied!
In my last post, "Security Training for the Development Team," I shared the experience of building a security training program for the development team.
Today, I will cover another essential step of securing engineering: security requirements. After reading this blog, I hope you will have a better understanding and be able to improve your security processes by implementing the additional requirements you’ll find here from the beginning of the product engineering phase.
Understanding a system's security and privacy requirements is critical to building a secure system. Therefore, security requirements must be updated regularly to reflect current requirements and the constant threat of landscape changes. Security requirements should also be defined along with the functional requirements, as this will help the design team to create a better system that can both cover these requirements and build a new security culture and mindset.
Below, we will discuss an agile development environment and how security requirements can be captured and tracked in different ways.
1. Security Epics And User Stories
A team can track security requirements similar to the functional and feature requirements in the form of epics and user stories.
Epics and user stories can document and track business-related security requirements like security requirements for policy/compliance, legal, contractual and regulatory requirements, or system functionalities, design levels like multi-factor authentication, logging, and tracing. These can be prioritized alongside other epics and user stories.
Security epics and user stories ensure security requirements are considered from the beginning, making the team fully aware of these requirements. The team can also tag these epics and user stories by tracking them separately across a security board.
2. Security Tasks
In addition to epics and user stories, a team can also track security requirements as part of the security tasks. Security tasks are more suitable for granular or implementation levels, for example, when a task is used to implement data encryption while capturing and storing PII data.
Security tasks ensure that security is not missed while implementing business features and functionalities.
3. Security Debt
Security tasks can also be captured and tracked through a function called security debt. Debt is those tasks that cannot be properly implemented because of the prioritization part of this list.
But as with technical debt, a team should be cautious when tracking security debt, as this can grow rapidly and become a significant risk if it is not taken care of within a reasonable time.
4. Operational Security Tasks
The team can also capture and track operational-related security tasks as part of their operational security tasks.
These tasks are typically not related to security requirements, meaning they are operational. Examples could include updating the development environment regularly, updating open-source libraries regularly (at least before each major release), resolving issues reported by SAST, etc.
5. Specialized Security Tasks
The engineering team can implement all of the above without any significant help from the security team.
But there are a few tasks that require a deep understanding of security. These can be captured and tracked through specialized security tasks such as the performance of threat modeling, PEN testing, environment hardening, etc.
Top Insights
Best practices for selecting a software engineering partner
SecurityDigital TransformationDevOpsCloudMediaMy Intro to the Amazing Partnership Between the...
Experience DesignPerspectiveCommunicationsMediaTechnologyAdaptive and Intuitive Design: Disrupting Sports Broadcasting
Experience DesignSecurityMobilityDigital TransformationCloudBig Data & AnalyticsMediaLet’s Work Together
Related Content
Accelerating Digital Transformation with Structured AI Outputs
Enterprises increasingly rely on large language models (LLMs) to derive insights, automate processes, and improve decision-making. However, there are two significant challenges to the use of LLMs: transforming structured and semi-structured data into suitable formats for LLM prompts and converting LLM outputs back into forms that integrate with enterprise systems. OpenAI's recent introduction of structured … Continue reading Security Requirements for the Development Team →
Learn More
If You Build Products, You Should Be Using Digital Twins
Digital twin technology is one of the fastest growing concepts of Industry 4.0. In the simplest terms, a digital twin is a virtual replica of a real-world object that is run in a simulation environment to test its performance and efficacy
Learn More
Accelerating Enterprise Value with AI
As many organizations are continuing to navigate the chasm between AI/GenAI pilots and enterprise deployment, Hitachi is already making significant strides. In this article, GlobaLogic discusses the importance of grounding any AI/GenAI initiative in three core principles: 1) thoughtful consideration of enterprise objectives and desired outcomes; 2) the selection and/or development of AI systems that are purpose-built for an organization’s industry, its existing technology, and its data; and 3) an intrinsic commitment to responsible AI. The article will explain how Hitachi is addressing those principles with the Hitachi GenAI Platform-of-Platforms. GlobalLogic has architected this enterprise-grade solution to enable responsible, reliable, and reusable AI that unlocks a high level of operational and technical agility. It's a modular solution that GlobalLogic can use to rapidly build solutions for enterprises across industries as they use AI/GenAI to pursue new revenue streams, greater operational efficiency, and higher workforce productivity.
Learn More
Unlock the Power of the Intelligent Healthcare Ecosystem
Welcome to the future of healthcare The healthcare industry is on the cusp of a revolutionary transformation. As we move beyond digital connectivity and data integration, the next decade will be defined by the emergence of the Intelligent Healthcare Ecosystem. This is more than a technological shift—it's a fundamental change in how we deliver, experience, … Continue reading Security Requirements for the Development Team →
Learn More
Share this page:
-
-
-
-
URL copied!