OWASP SecurityRAT (Requirement Automation Tool) is a tool supposed to assist with the problem of addressing security requirements during application development. The typical use case is:
- specify parameters of the software artifact you’re developing
- based on this information, the list of common security requirements is generated
- go through the list of the requirements and choose how you want to handle the requirements
- persist the state in a JIRA ticket (the state gets attached as a YAML file)
- create JIRA tickets for particular requirements in a batch mode in developer queues
- import the main JIRA ticket into the tool anytime in order to see the progress of the particular tickets
The core functionality of SecurityRAT (“Requirement Automation Tool”) can be described in the following steps:
- You tell SecurityRAT what kind of a software artifact you’re going to develop/are running
- SecurityRAT tells you which requirements you should fulfill.
- You decide how you want to handle the desired requirements.
- You persist the artifact state in an issue tracker and create tickets for the requirements where an explicit action is necessary
- Throughout the continuous development of the particular artifact, you respect the rules defined in SecurityRAT and document relevant changes in requirement compliance whenever appropriate.
A focus of SecurityRAT is currently put on the automation of procedures rather than the quality of requirements. There is a set of requirements provided which you can start with, nevertheless, it is recommended to create your own set of requirements which fits your company risk profile.
Copyright 2016 Daniel Kefer