26 March 2008
A Framework for Computer Security Requirements Analysis
The purpose of security engineering is to provide assurance of an adequately secure system. The purpose of computer security requirements analysis is to help provide this assurance, as far as is possible at the requirements stage, by:
* Identifying conflicts between requirements
* Estimating the level of security risk
* Providing heuristics on risk mitigation This talk makes suggestions about how to map these aims to security requirements analysis tasks, and covers two areas in more detail:
- The relative places of reasoning and testing in performing vulnerability analysis, and the limited scope for this at the requirements stage.
- How to stop vulnerability analysis from exploding, by integrating a classical risk analysis approach into the framework.
Save to your Calendar