1.1.1 - Example
This example outlines the initial setup of the Requirements Traceability Matrix (RTM), a framework designed to capture and organize findings from the Threat Modeling and Attack Surface Mapping and Reconnaissance and Preliminary Analysis phases. The RTM is currently empty but will systematically be filled with data as we progress through these phases. Establishing the RTM framework early ensures that all security insights and vulnerabilities identified are accurately documented, supporting effective analysis and decision-making throughout the security assessment process.
| Feature ID | Feature Description | Security Requirement | Identified Vulnerability | Test Method | Test Status | Assigned To |
|---|---|---|---|---|---|---|
| F001 | User Authentication | Password encryption | Weak password hashing | Conduct penetration testing using advanced password cracking tools to evaluate the strength of current hashing algorithms. | Planned | Security Team |
| F002 | Data Export | Data must be sanitized before export | SQL Injection | Perform automated scans and manual SQL injection tests to identify vulnerabilities in data export functionalities. | Completed | Dev Team |
Key Components of the RTM:
- Feature ID: A unique identifier for each feature within the application.
- Feature Description: A brief description of the feature’s functionality.
- Security Requirement: Specific security requirements associated with the feature.
- Identified Vulnerability: Vulnerabilities identified during the threat modeling or subsequent testing phases.
- Test Method: Detailed description of the testing approach, specifying the techniques and tools to be used for each identified vulnerability.
- Test Status: The current status of the test (e.g., Planned, In Progress, Completed).
- Assigned To: The team or individual responsible for carrying out the testing.