SecurityRAT (“Security Requirement Automation Tool”) is a tool helping you manage security requirements in your agile development projects.
The basic idea is very simple: you specify the properties of an application (usually, we use the name “artifact”) that you’re developing. Based on these properties, the tool gives you a list of security requirements you should fulfill.
For each requirement, you can decide whether it should/will be implemented and add your own comment (or e.g. reasoning why you’re not going to implement it if you’ve decided against it). Once you’re done, you can persist the particular requirement set in a JIRA ticket for documentation purposes (the requirement set is attached as a YAML file).
Afterwards, you can create JIRA tickets for particular requirements in a batch mode and track them with SecurityRAT. The workflow is shown on the image below:
Finally, you can use SecurityRAT to load requirement set persisted in Step 3. SecurityRAT will also load the information to all issues created for this set and display their status.
For getting more information about the tool in 40 minutes, you can watch this video from the OWASP AppSecEU 2016 Conference:
Try it out!
You can play around with a public demo instance of SecurityRAT under https://securityrat.org, including changing requirements. All settings are restored every 24 hours.