Security SIG: Security Requirements in the Software Development LifeCycle



  • Topic: What are the project security requirements? Many a developer has faced this question and most have been left with too little in the way of guidance. We will cover where security requirements come from, and how to rationalize them when the project sponsors seem clueless. We will bring in important evolutionary trends in information security and how these trends drive security functionality inside the code. We will discuss how the development environment should be approached to avoid breaking role based access control and separation of duties requirements.

    Important steps in the SDLC will be described including the creation of test cases, use cases, and misuse cases, along with using traceability as a positive demonstration of security functionality (almost certainly needed down the road). We will touch on the interaction between platform security (OS, DB and network) and application security and the role of ongoing testing and application self-testing. Attendees will come away with a handy reference to information security requirements in the context of the SDLC. heterogenous XML based applications.


    James M. Anderson, Consultant, Rook Consulting

    James M. Anderson’s 30+ year career focuses on the implementation of leading edge information risk management programs and technologies for large enterprises around the world. Anderson is a Consultant at Rook Consulting, an advanced information risk management consultancy. In the past, he has served as Vice President, Global Information Security Services for Visa encompassing information security architecture and policy implementation for Visa’s worldwide regions. Prior to joining Visa, Anderson served domestic and international enterprise customers as Principal Consultant leading the information security practice of SRI Consulting and headed the International Institute for Information Integrity (I-4) as Program Director. Anderson headed the information security unit of Morgan Stanley after designing, implementing and managing the physical and information security program as Director of Security and Information Services at Lexis-Nexis, Inc. Earlier, Anderson served in a variety of IT roles in large commercial banks and at Deloitte Consulting assisting clients in the large scale systems arena. He has served on the advisory panels of both I-4 and the Computer Security Institute and published several articles for the information security community. Anderson did his undergraduate work in Industrial Engineering at Purdue University and has an MBA in accounting and finance from the University of Chicago Booth School of Business.

    Cubberley Community Center
    4000 Middlefield Road, Room H-1
    Palo Alto, CA

    6:30 - 7:00 p.m. Registration / Networking / Refreshments / Pizza
    7:00 - 9:00 p.m. Presentation and Discussion

    $15 at the door for non-SDForum members
    No charge for SDForum members
    No registration required