Tuesday, October 6, 2009

High level application security requirements

Hey ISO wouldn't it be handy to have a set of high level security requirements for business applications, with a list of security controls maybe on a sliding scale based on the risk of the application ? I propose the following for the high level categories (can't have too many so have consolidated similar ones):
-secure authentication and session management
-secure authorisation and access control
-data canonicalisation known good input validation and sanitisation for storage and output
- logging, monitoring and reporting
- interface authentication and encryption
- data at rest encryption and database security

Maybe I should have a look at orange book/common criteria etc. ?

Posted by Matthew Hackling at 12:27 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Infamous Agenda © 2008. Design by :Yanku Templates Sponsored by: Tutorial87 Commentcute
This template is brought to you by : allblogtools.com Blogger Templates