Category:BP3 Capture security requirements

Overview
Ensure that security requirements have the same level of “citizenship” as all other “must haves.” It’s easy for application architects and project managers to focus on functionality when defining requirements, since they support the greater purpose of the application to deliver value to the organization. Security considerations can easily go by the wayside. So it is crucial that security requirements be an explicit part of any application development effort. Among the factors to be considered:
 * An understanding of how applications will be used, and how they might be misused or attacked.
 * The assets (data and services) that the application will access or provide, and what level of protection is appropriate given your organization’s appetite for risk, regulations you are subject to, and the potential impact on your reputation should an application be exploited.
 * The architecture of the application and probable attack vectors.
 * Potential compensating controls, and their cost and effectiveness.