This objective, and the other similar ‘include‘ objectives, simply state what work has to be included as part of Product Security Work. You may want to include more, but you cannot be missing any of these and still deliver a secure Product.
- Group or Individual
- Product Team
- Artefact
- Product Security Work
- Concepts
- Functional Requirement Analysis
- Document
- Product Security Work
- Risk Type
- Feasibility
- Event
- A security vulnerability is identified by somebody outside of the Organisation
- Caused By
- Product Teams not identifying and remediating discoverable product insecurities as part of delivery
- Leading To
- Increased cost for remediation, impact on delivery or increased risk of a Security Incident
-
D-SR-A-1-1
Design > Security Requirements > Software Requirements
- Do project teams specify security requirements during development?
-
V-RT-B-2-1
Verification > Requirements-driven Testing > Misuse/Abuse Testing
- Do you create abuse cases from functional requirements and use them to drive security tests?