The January meeting of the Atlanta IIBA was excellent. We had about 40 attendees and a great presentation. The presenter was Ryan English from SpiDynamics.
Ryan spoke about web application security vulnerabilities and pointed out that requirements documents should always include security requirements. These requirements are part of the category called Quality of Service requirements in the BABOK™. Ryan quoted a couple of interesting statistics: 64% of developers are not confident in their ability to write secure applications and 70% of security violations are in the application level. I believe both of these statistics can be improved with more awareness and training. As BAs we should ask our developers if they are familiar with the most common security risks. We should encourage them to get training and learn more about how they can prevent common vulnerabilities. We should encourage our managers to send developers to training. And we need to educate ourselves about the risks and how we can prevent them by writing excellent requirements. We don’t need to be experts on security risks, many of us work for large organizations which have a security officer in the IT division. If you have access to an internal resource like this, take him out to lunch!! Read the white papers that are available on SpiDynamics web page. Search the web for information about security for your industry. With an experienced BA, a little knowledge goes a long way. We don’t need to become security experts because we know how to ask good questions and interview the people who have the knowledge. We just need to be aware of the issues.