Transvasive Security

the human factor

AppSec USA 2012: Functional Security Requirements using Behavioral Security Modeling

I spoke today at OWASP AppSec USA on “Building Predictable Systems using Behavioral Security Modeling: Functional Security Requirements”. Although Karl Brophey was not able to join me, he was there in spirit. The talk was an updated version of our presentation at Secure360 earlier this year.

Here is a copy of the slides from the talk. OWASP will be posting a free video as well (thanks!) and I’ll add a link when that becomes available. Below is a the abstract and link to the white paper we wrote, which explains the ideas presented in the talk in greater detail.


Defining functional security requirements is a key component of Behavioral Security Modeling, a method to improve security through accurately modeling human/information interactions in social terms. The paper proposes a practical, SDLC agnostic method for gathering functional security requirements by establishing limits on interactions through a series of questions to identify, clarify, and uncover hidden constraints. Five categories of constraints are presented, along with advice and “requirement patterns” to facilitate discussions with stakeholders and translate business needs into unambiguous security requirements. General advice on improving constraints, implementation considerations, security actions, quality assurance, and documenting post conditions are also discussed.


Behavioral Security Modeling: Functional Security Requirements