Choosing multiple categories when defining security requirements

[shahamit]

SKF looks a perfect framework in adopting secure development lifecycle. The key feature I understand that SKF brings in reducing the efforts in going through hundreds of checkpoints (~300) in the checklists and reviewing only the appropriate ones that apply to the feature or the enhancement. I have a few doubts/queries as listed below

1. At what point do we do the threat modelling exercise (defining a DFD and listing the threats) when adopting SKF in our SDLC or just reviewing the generated security requirements be enough to confirm from a security standpoint?
2. Would we have to define multiple sprints when a feature falls under multiple categories of a checklist?

Thanks.

[github-actions[bot]]

Thank you for creating an issue ticket for our SKF project, we highly appriciate the feedback so we can improve the project and make it more awesome for everyone! We will shortly come back to you after the evaluation of the issue.

[blabla1337]

1) First I would suggest to adjust the ASVS or MASVS according the company needs, remove and add your specific requirements. You can do this based on earlier threat modelling exercises. Also I would suggest after the requirements are created to also add the scenarios from a business risk impact that came out of the Threat modelling exercise.

I'm happy to discuss it more in depth if you like in our Slack or Gitter channel

2) We have in the SOO branch a new selector for the project wizard where you can select the multiple categories for your feature.