Security Requirements and Assessment Testing for Banking Application
Added on 2022-08-30
24 Pages4990 Words17 Views
|
|
|
Table of Contents
Executive Summary 2
Overview 3
Applicable principles for web security 3
Web application security 5
Policy framework 5
Web application authentication 6
Access control and authentication 8
Session management 9
Data Validation 9
Vulnerability and Assessment testing 9
Overview of the application 11
Steps for banking app developer 12
1. Security requirement establishment 12
2. Attack surface analysis 12
3. Threat modeling implementation 12
4. Perform static analysis security testing 13
5. Interactive application security testing operation 13
6. Security gate creation 13
7. Ongoing source development education introduction 14
Overview of secure SDL 15
SDL Design 15
Security Requirements 16
Security Awareness and training 16
Threat modeling 17
Software tracking by third-party 18
Executive Summary 2
Overview 3
Applicable principles for web security 3
Web application security 5
Policy framework 5
Web application authentication 6
Access control and authentication 8
Session management 9
Data Validation 9
Vulnerability and Assessment testing 9
Overview of the application 11
Steps for banking app developer 12
1. Security requirement establishment 12
2. Attack surface analysis 12
3. Threat modeling implementation 12
4. Perform static analysis security testing 13
5. Interactive application security testing operation 13
6. Security gate creation 13
7. Ongoing source development education introduction 14
Overview of secure SDL 15
SDL Design 15
Security Requirements 16
Security Awareness and training 16
Threat modeling 17
Software tracking by third-party 18
Secure build18
QA and security testing 19
Data Retention and Disposal 21
Conclusion 22
Appendices 23
References 24
QA and security testing 19
Data Retention and Disposal 21
Conclusion 22
Appendices 23
References 24
EXECUTIVE SUMMARY
The project elaborates about the details for the secure development of the application,
following a suitable Secure Development Lifecycle model, e.g. Microsoft SDL. It includes
several terms which are utilized in this report findings are shown below as:
• Strategies/ Policy structure
• Corroboration
• Authorisation/ Approach authority
• Time administration
• Facts authorization
• Vulnerability assessment and testing
• Recording
The project elaborates about the details for the secure development of the application,
following a suitable Secure Development Lifecycle model, e.g. Microsoft SDL. It includes
several terms which are utilized in this report findings are shown below as:
• Strategies/ Policy structure
• Corroboration
• Authorisation/ Approach authority
• Time administration
• Facts authorization
• Vulnerability assessment and testing
• Recording
OVERVIEW
SDLC is the main pillar of the secure software pillars network, which can also be termed as
the security development lifecycles. The meaning of the pillar is related to the important
activities which provide the assurance for securing the software here. SDL can also be
elaborated as the procedure for submerging reliability artefacts in the whole application
cycles. These SDL occurrences must be plotted to a general software development lifecycle
(SDLC) either by using the agile or the waterfall procedure. There are several interests for the
SDL ventures which are approximated numerous but two main benefits are:
Build buy-in.
Security by default.
Software development lifecycle elaborates the several stages that an application results which
go through from starting to close of its existence. There are various SDLCs which subsist in
the company’s recently and these organizations are unbound to explain the phases. SDLC not
at most useful to the application straight delivered to the clients, but it is also applicable to IT
and to software as a service (SaaS) projects. (dzone.com, 2019)
The development methodologies such as Agile, CD and Lean and others need to rethink the
subsisting SDLCs and promising the accommodations. For instance, a group with the active
habitat may have the ensuing movement:
Figure.1 SDLC Phases and activities
Applicable principles for web security:
Web security is totally based on the 7 principles which are elaborated below: (Spacey, 2011)
SDLC is the main pillar of the secure software pillars network, which can also be termed as
the security development lifecycles. The meaning of the pillar is related to the important
activities which provide the assurance for securing the software here. SDL can also be
elaborated as the procedure for submerging reliability artefacts in the whole application
cycles. These SDL occurrences must be plotted to a general software development lifecycle
(SDLC) either by using the agile or the waterfall procedure. There are several interests for the
SDL ventures which are approximated numerous but two main benefits are:
Build buy-in.
Security by default.
Software development lifecycle elaborates the several stages that an application results which
go through from starting to close of its existence. There are various SDLCs which subsist in
the company’s recently and these organizations are unbound to explain the phases. SDLC not
at most useful to the application straight delivered to the clients, but it is also applicable to IT
and to software as a service (SaaS) projects. (dzone.com, 2019)
The development methodologies such as Agile, CD and Lean and others need to rethink the
subsisting SDLCs and promising the accommodations. For instance, a group with the active
habitat may have the ensuing movement:
Figure.1 SDLC Phases and activities
Applicable principles for web security:
Web security is totally based on the 7 principles which are elaborated below: (Spacey, 2011)
1. Authentication:
Applicable in user’s identity confirmation
2. Authorization:
Applicable in specification for accessing rights to resources
3. Confidentiality:
Information disclosure prevention for the unauthorized systems
4. Information Probity:
Information cannot be bribed without observation
5. Opportunity:
Websites must be available and fast.
6. Accountability:
When the system accesses the data their action must be traceable, for instance:
logging.
7. Abrogation:
This is the capacity for proving that the agreement took place such as: electronic
receipts.
Web application security
Policy Frame work:
Figure.2 Policy Framework
Applicable in user’s identity confirmation
2. Authorization:
Applicable in specification for accessing rights to resources
3. Confidentiality:
Information disclosure prevention for the unauthorized systems
4. Information Probity:
Information cannot be bribed without observation
5. Opportunity:
Websites must be available and fast.
6. Accountability:
When the system accesses the data their action must be traceable, for instance:
logging.
7. Abrogation:
This is the capacity for proving that the agreement took place such as: electronic
receipts.
Web application security
Policy Frame work:
Figure.2 Policy Framework
Organizations require establishing data protection strategy illuminated by the pertinent
national prescription; merchant agreement, company directive, and subordinate top practices
for instance OWASP. (Owasp.org, 2020)
a. COBIT:
It is a famous probability administration substructure constructed around four provinces such
as:
Organization and Planning
Delivery and related support
Execution and Acquisition
Visualizing
b. ISO 27002:
It is a probability formed data safety administration substructure which is straight obtained by
the BS 7799 levels. It is an intercontinental level and utilized steadily for all the organization.
Nevertheless, Little US companies utilize ISO 27002 as well, especially if they have the
branches exterior US.
c. Sarbanes-Oxley:
The main creator for several US companies in embracing the OWASP commands is to help
with the on-going Sarbanes-Oxley agreement. If a company accompanied each authority, it
would not instinctively allow the company SOX agreement. Hence, the evolution lead is
functional as an acceptable application authority accession and in-house evolution as a bit of
huge agreement scheme.
Web application authentication:
There are 6 web authentications which are elaborated below: (Killoran, 2018)
1. Create a Web Application Authentication Checklist:
The checklist must include four major steps such as:
Data gathering
Course of action plan
Security check execution
national prescription; merchant agreement, company directive, and subordinate top practices
for instance OWASP. (Owasp.org, 2020)
a. COBIT:
It is a famous probability administration substructure constructed around four provinces such
as:
Organization and Planning
Delivery and related support
Execution and Acquisition
Visualizing
b. ISO 27002:
It is a probability formed data safety administration substructure which is straight obtained by
the BS 7799 levels. It is an intercontinental level and utilized steadily for all the organization.
Nevertheless, Little US companies utilize ISO 27002 as well, especially if they have the
branches exterior US.
c. Sarbanes-Oxley:
The main creator for several US companies in embracing the OWASP commands is to help
with the on-going Sarbanes-Oxley agreement. If a company accompanied each authority, it
would not instinctively allow the company SOX agreement. Hence, the evolution lead is
functional as an acceptable application authority accession and in-house evolution as a bit of
huge agreement scheme.
Web application authentication:
There are 6 web authentications which are elaborated below: (Killoran, 2018)
1. Create a Web Application Authentication Checklist:
The checklist must include four major steps such as:
Data gathering
Course of action plan
Security check execution
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents