CLASP Roles Flashcards
What are the seven roles in CLASP?
1) Architect 2) Designer 3) Implementer 4) Project Manager 5) Requirements Specifier 6) Security Auditor 7) Test Analyst
What are the key responsibilities for project manager ?
1- promoting awareness among the team: all team members expose to application security strategy and training several for necessary skills.
2-promoting awareness outside the team:The rest of the organization needs to understand the impact of application security on the business
3- monitor the health of the organization: this involves defining a set of basic business matrices and applying them on a regular basis.
What are the key responsibilities for requirement specifier ?
1- obtaining business requirement relevant to security:particularly those things that will need to be considered by an architect
2- determine protection requirement for architecture resources: by categorizing resources into protection levels, and addressing each core security service for each protection level
3- specify misuse cases: which demonstrate to the stakeholder the major security considerations that manifest themselves in the system design.
what is the key role of Architect?
he fugues how necessary security technologies integrate into the overall system (from an architectural level)
the architect should explicitly document trust assumptions in each part of the system
he should facilitate security requirements.
How can an architect facilitate better security requirements?
1-Only understand the security implications of technologies well enough that he does not introduce any obvious security errors.
2-Enumerate in detail all resources in use by a system
3-Identify the roles in the system that will use each resource.
4-Identify the basic operations on each resource.
5-help people understand how resources interact with each other through the lifetime of the system.
what is the key responsibility of Designer?
is to keep security risks out of the application, whenever possible.
what are the steps a designer can take to keep security risk out of the application
1- figure out what technologies will satisfy security requirements and research them to determine how to use those technologies properly.
2-assess the consequences of security flaw found in the application,determine how to best address the problem.
3-provides data that can be used as metrics or as a foundation for an application security review (support measuring quality).
why do designers have the most security-relevant work of all the traditional development roles?
because they need to:
-push back on requirements that may have unrecognized security risks
-give implementer a road map in order to minimize the risk of errors requiring an expensive fix
-understand the security risks of integrating third-party software.
they are generally the point person for responding to security risks identified in the software.
what is the key role of an implementer ?
primarily following coding standards and documenting the system well enough to make it easier for third parties to determine whether the software is as secure as it should be. Sometimes the documentation will be aimed at the end-users, helping to ensure that they know how to use the product securely.
what is the key role of a security auditor
The basic role of a security auditor is to examine the current state of a project and try to assure the security of the current state of the project
how can a security auditor examine and assure the current state?
When examining requirements, the auditor will attempt to determine whether the requirements are adequate and complete.
When looking at a design, the auditor will generally attempt to determine whether there are any implications that could lead to vulnerabilities.
In addition, when looking at an implementation, the auditor will generally attempt to find overt security problems, which should be mappable to deviations from a specification.
What is the role of a Test Analyst?
should still be testing to requirements, implementing regression suites, and so on but will require new testing tools.
beyond tool training and learning about risks well enough to be able to check for them, testing groups do not need to be security experts.
