/system_security_reqs

Vibrant's (draft) software security standards (based on the OWASP Application Security Verification Standard)

Primary LanguagePython

System Security Requirements

Vibrant continues to invest in securing service delivery and proteching data critical to help seekers. Meanwhile, we are learning again that we write software.

This repository contains Vibrant's development of system security requirements. It is maintained by the InfoSec team.

Requirements Index

  1. architecture
  2. authentication
  3. session management
  4. access control
  5. validation, sanitation, & encoding
  6. cryptography
  7. error logging
  8. data protection
  9. commumnications
  10. malicious code
  11. business logic
  12. files resources
  13. api
  14. configuration management

other resources

Introduction

Vibrant continues to awaken to concepts of security, and the control of IT systems - and though we have started to invest (time, money, and person-power) in security, we have a long way to go.

So, these requirements should match Vibrant's consensus on achievable state-of-the-art. If you see anything that doesn't pass the Vibrant smell test, do reach out!

Important

It is very unlikely we meet the level 1 requirements considered 'adequate' first steps by NIST, much less level 2 or 3.

This set of requirements should be achievable. Consider them as possible release standards sometime in the near future and comment accordingly.

Usage

As we understand need and appetite, we will work with you (dear reader) to craft SMART requirements for your specific system development needs. (together 💌)

Origins

InfoSec chose the latest release of OWASP Application Security Verification Standard as the inspiration for Vibrant's security requirements, for a variety of reasons. Here are a few:

  • it maps directly to NIST guidelines
  • it offers tiers of requirements, allowing for variation in maturity and risk management
  • it represents consensus best-practice within a global application security community