Skip to main content

Security-Requirements-Design-and-Implementation

3 Security Requirements Design and Implementation

The Security requirements document feeds the design and validation teams. Design methodology of security features is not different from the general design methodology of regular functional requirements. However, this is not true for validation methodology. The aim of the functional requirements validation is to verify that a system is able to do properly what it was designed to do. Security validation shall also try to simulate illegal or unexpected scenarios (e.g. writing to reserved bits in a register or applying an incorrect power up sequence) and verify that a system behaviour is predictable and security assets are not compromised.

The Risk Register should be maintained throughout the project, and the threat probabilities reassessed given the mitigations put in place to reduce the Risk Factor to an Acceptable level.

What is Acceptable? This is a qualitative assessment that needs to be made by the product owner against risk to reputation, customer expectation and cost of rectification in case of a security failure.