IT 项目的安全需求（一）— CLASP

CLASP Best Practices

CLASP Activities

Related Project Roles

1. Institute awareness programs

Institute security awareness program

Project manager

2. Perform application assessments

Perform security analysis of system requirements and design (threat modeling)

Security auditor

Perform source-level security review

Owner: security auditor

Key contributor: implementer, designer

Identify, implement, and perform security tests

Test analyst

Verify security attributes of resources

Tester

Research and assess security posture of technology solutions

Owner: designer

Key contributor: component vendor

3. Capture security requirements

Identify global security policy

Requirements specifier

Identify resources and trust boundaries

Owner: architect

Key contributor: requirements specifier

Identify user roles and resource capabilities

Owner: architect

Key contributor: requirements specifier

Specify operational environment

Owner: requirements specifier

Key contributor: architect

Detail misuse cases

Owner: requirements specifier

Key contributor: stakeholder

Identify attack surface

Designer

Document security-relevant requirements

Owner: requirements specifier

Key contributor: architect

4. Implement secure development practices

Apply security principles to design

Designer

Annotate class designs with security properties

Designer

Implement and elaborate resource policies and security technologies

Implementer

Implement interface contracts

Implementer

Integrate security analysis into source management process

Integrator

Perform code signing

Integrator

5. Build vulnerability remediation procedures

Manage security issue disclosure process

Owner: project manager

Key contributor: designer

Address reported security issues

Owner: designer

Fault reporter

6. Define and monitor metrics

Monitor security metrics

Project manager

7. Publish operational security guidelines

Specify database security configuration

Database designer

Build operational security guide

Owner: integrator

Key contributor: designer, architect, implementer