High Level Requirements Categories

Frameworks and stacks

 * 1) A secure, robust, flexible, easily supportable framework shall be chosen
 * 2) A secure, robust, enterprise-worthy platform stack shall be chosen
 * 3) Widely recognized and well-documented APIs (such as the ESAPI) shall be leveraged to ensure speed, consistency, and baseline security of the application
 * 4) Secure coding practices including security training and reviews shall be incorporated into each phase of development

Application Security

 * 1) NO PASSWORDS EMBEDDED IN CODE! REALLY!
 * 2) Input validation
 * 3) Whitelisting when possible
 * 4) Blacklisting by exception
 * 5) Escaping output
 * 6) Session controls
 * 7) Anti-trojan design considerations
 * 8) Email/SMS/telephone confirmation
 * 9) 2-factor authentication
 * 10) Transfer timing controls
 * 11) Number of simultaneous sessions permitted
 * 12) Detection of simultaneous sessions from different continents

Application

 * 1) See [[File:OWASP_Application_Security_Requirements_-_Identification_and_Authorisation_v0.1_(DRAFT).doc]]

Management and administration tools

 * 1) 2-Factor Authentication

Hash functions

 * 1) Code signing
 * 2) Message Digests

PCI DSS

 * 1) Current requirements
 * 2) OWASP Top 10
 * 3) WAF Integration considerations
 * 4) Ongoing testing considerations

GLBA

 * 1) Ain't it embarrassing that you do banking on-line but have NO IDEA what standards your bank is supposed to adhere to for safekeeping of YOUR money?!?
 * 2) Go ahead, list some requirements

National Compliance Requirements

 * 1) Privacy Policy
 * 2) Logging and log retention
 * 3) Content archiving and retention
 * 4) Protection of minors

Logging
Each transaction shall be available for review in detail for a period of no less than one year. Transactions shall be traceable to the username, IP address, and time within 1/100th of a second.
 * 1) Application
 * OS, Webserver, and Database Logging
 * 1) Firewall, WAF, and other security device logging
 * 2) Event Triggers
 * 3) Periodic log reviews
 * 4) Event-driven log analysis
 * 5) Employee termination
 * 6) Suspected breach
 * 7) Honeypot trigger

Additional Security Considerations
Steps shall be taken to ensure that support staff reduce the likelihood and are aware of attempted compromise, tampering, fraud, physical theft, of denial of service.
 * 1) Decoys, Honeypots, and other devices for detection and delay
 * 2) Network, Hardware, Physical, OS, Platform, and Framework Considerations
 * 3) Network Security Considerations
 * 4) Hardware Security Considerations
 * 5) Physical Security Considerations
 * 6) OS Security Considerations
 * 7) Hardening standards
 * 8) Platform Security Considerations
 * 9) Hardening standards
 * 10) Configuration management and auditing
 * 11) Patching
 * 12) All components shall be compatible and capable of being fully patched within 30 days of a component security patch release
 * 13) Minimized attack surface
 * 14) Removal of all demo code
 * 15) Changing of all default passwords
 * 16) Robots.txt and passive crawler considerations

Operational Security Considerations

 * 1) Clean desk policy
 * 2) Bonding of outsourced/off-shored Developers
 * 3) Need to know
 * 4) Trade secrets
 * 5) Posting questions to help, support, and user forums
 * 6) Customer Service Identification and Authenticaion considerations
 * 7) Distinguishing a legitimate user from a social-engineering scam-artist