← Definitions

Security Requirements

Security requirements describe functional and non-functional requirements that must be satisfied to achieve the security properties of an IT system.

Security requirements can be formulated at different abstraction levels. At the highest level they reflect security objectives, such as 'The system must maintain the confidentiality of all data classified as confidential'. More useful for architects and developers are requirements that describe concretely what must be done to assure security. NIST 800-53 Rev 5 controls serve as the primary source of concrete security requirements in OSA patterns.

Requirement Types

Secure Functional Requirements
Security-related descriptions integrated into each functional requirement. Typically also specifies what shall not happen. Can be derived from abuse cases, threat models, and STRIDE analysis.
Functional Security Requirements
Security services that must be achieved by the system: authentication, authorisation, encryption, logging, backup. Derived from control frameworks (NIST 800-53), compliance obligations, and organisational security policies.
Non-Functional Security Requirements
Security-related architectural qualities like resilience, performance under attack, and graceful degradation. Derived from security design principles (see NIST SP 800-160) and operational requirements.
Secure Development Requirements
Required activities during system development to assure the outcome is not subject to vulnerabilities: threat modelling, secure coding standards, static and dynamic analysis, software composition analysis, security testing gates. Derived from NIST SSDF (SP 800-218) and implemented through OSA patterns SP-012, SP-028, and SP-041.

References

  • NIST SP 800-53 Rev 5 -- Security and Privacy Controls for Information Systems
  • NIST SP 800-218 -- Secure Software Development Framework (SSDF)
  • NIST SP 800-160 Vol 1 Rev 1 -- Engineering Trustworthy Secure Systems
  • OWASP Application Security Verification Standard (ASVS)
  • OWASP SAMM v2.0 -- Software Assurance Maturity Model