Security Requirements Gathering

Case Study: Application Security Requirements Gathering Case Study: Application Security Requirements Gathering

The elicitation of both standard and custom security requirements for a major financial institution.

Training: Application Security for Managers Training: Application Security for Managers

Learn how to make effective, risk-based decisions about application projects.


A successful development project starts with thorough requirements engineering. Unfortunately, security requirements are often overlooked. Furthermore, their elicitation is not a trivial exercise — they tend to be obscure, generic, and out-of-date.

Security Compass will work with your organizational stakeholders and requirements engineers to collect your business goals and drivers, assemble profiles of your existing applications, and draft a reusable set of standard application security requirements. These requirements will serve as a baseline from which specific requirements, tailored to a specific application, can be derived.

Custom Solution

Security Compass recommends the derivation of standard application security requirements tailored to your organizational drivers and stakeholders. This standard list can be extended or customized to fit the needs of any application's needs.

Meet Our Experts

  • Subu Ramanathan

    Subu Ramanathan

    Security Consultant

    Having spent years as developers before entering the world of security, our consultants recognize the value of addressing application security as early as possible — during requirement elicitation.

    Outside the office, Subu regularly teaches courses in Exploiting and Defending Web Applications, Advanced Application Attacks and Mobile Hacking to Security Compass' clients across the globe, and has spoken at numerous mobile security conferences including topics such as Blackberry, 'Droid and IOS/iPhoneWhich One is the Safest? (Panel Discussion), MISTI Mobile & Smart Device Conference (2011) and Bust a Cap in an Android App, ToorCon (2011). Whether Subu is providing technical insight to your development teams or presenting key findings that may have a direct business impact to your executive team, he believes that each client's needs are unique and presents each finding as it relates exclusively to your business.


Security Compass consultants guide your team of business analysts and organizational stakeholders to derive a baseline set of standard, reusable application security requirements.

Key Business Benefits

  • Address application security from the outset.
  • Arm your organization with a baseline of requirements from which tailored, application-specific requirements can be derived.
  • Cost savings on remediation by identifying and addressing vulnerabilities prior to development.


Our methodology for security requirements elicitation identifies your organization's goals and business drivers, analyzes your current application landscape, derives the current threat landscape, and implements a standard list of application security requirements that can be leveraged to fit a specific application.

Learn more