Friday, February 15, 2013

Security as a functional concern

As we embark on a pretty large system rewrite, one of my goals is to bring some traditionally just-in-time concerns to the forefront as first class citizens in design and implementation. One of these concerns is security and one of the ways I want to make it a first class citizen is to make sure it's injected at the source (via business requirements) so that it flows all the way through the development and QA pipelines and is verifiable at different stages. This isn't the only way I'd like to tackle security, but it's probably the most visible.

Given recent examples of security breaches that aren't a result of a technical bug in the system, ensuring business stakeholders and product owners take notice of security is an important goal.


Functional requirements and user stories should be created to express security aspects. For example “As a user, I do not want another user to see my list of purchases.” Or “As a user, I want to be notified by email if I or someone else attempts to change my password”.

User stories should be created to allow for auditing of sensitive actions. For example “As a user I want to see my purchase history” or “As a user I want to see what devices have accessed my account”.

User stories should be created to allow users to flag security breaches and prevent further breaches. For example “As a user, I want to report unauthorized purchases on my account and prevent further purchases until I have talked to customer service”.

Personas should be created to model nefarious users whose goal it is to hack the system. User stories for these personas must have acceptance criteria ensuring they fail. For example: “As a hacker, I want to be able to reset another user’s password” or “As a hacker, I want to impersonate another user by gaining access to their session cookie if they are logged on in an open wireless network”.

Functional QA tests must exist to ensure the security user stories have been successfully implemented and to facilitate regression testing.

Security is a first class citizen in domain logic. Ensuring a user can only view or update their information should be explicitly expressed in domain code. Do not leave security trimming to infrastructure alone.


No comments:

Post a Comment