A novel intelligent model for classify and evaluating non-functional security requirements form scenarios (original) (raw)
Related papers
Supporting requirements engineers in recognising security issues
… Foundation for Software …, 2011
Context & motivation: More and more software projects today are security-related in one way or the other. Many environments are initially not considered security-related and no security experts are assigned. Requirements engineers often fail to recognise indicators for security problems. Question/problem: Ignoring security issues early in a project is a major source of recurring security problems in practice. Identifying security-relevant requirements is labour-intensive and error-prone. Security may be neglected in order to finish on time and in budget. Principal ideas/results: In this paper, we address this problem by presenting a tool-supported method that provides assistance for requirements engineering, with an emphasis on security requirements. We investigate whether security-relevant requirements can be automatically identified with help of a Bayesian classifier. Our results indicate that this is feasible, in particular if the classifier is trained with domain specific data and documents from previous projects. Contribution: We show how the ability to identify security-relevant requirements can be integrated in a workflow of requirements analysis and reuse of experience. In practice, this can increase security awareness within the software development process. We discuss limitations and potential of this approach.
Security Requirements Elicitation via Weaving Scenarios Based on Security Evaluation Criteria
Seventh International Conference on Quality Software (QSIC 2007), 2007
Software is required to comply with the laws and standards of software security. However, stakeholders with less concern regarding security can neither describe the behaviour of the system with regard to security nor validate the system's behaviour when the security function conflicts with usability. Scenarios or usecase specifications are common in requirements elicitation and are useful to analyse the usability of the system from a behavioural point of view. In this paper, the authors propose a method to weave scenario fragments based on security evaluation criteria into scenarios. The experiments showed that the weaving method led to a better scenario than the method involving writing or modifying the scenario with reference to security evaluation criteria.
Moving from Requirements to Design Confronting Security Issues: A Case Study
Lecture Notes in Computer Science, 2009
Since the emergence of software security as a research area, it has been evident that security should be incorporated as early as possible in the software lifecycle. The advantage is that large gains can be achieved in terms of cost and effort compared to the introduction of security as an afterthought. The earliest possible phase to consider possible attacks is during requirements specification. A widely accepted approach to consider security in the requirements is the employment of misuse cases. In this paper we examine a case study to automatically generate a class diagram, based on the use and misuse cases present in the requirements. Particularly, we extend a natural language processing approach to move beyond a general domain model and produce a detailed class diagram. Moreover, security patterns are introduced in appropriate places of the design to confront the documented attacks and protect the threatened resources. Additionally, we perform an experimental study to investigate the tradeoff between the additional effort to mitigate the attacks and the security risk of the resulting system. Finally, the optimization problem of finding the smallest system regarding additional effort given a maximum acceptable risk is established and an appropriate algorithm to solve it is proposed.
Analysing Security and Software Requirements using Multi-Layered Iterative Model
2014
Nowadays, security is of great concern for any organization developing software systems for various requirements. Moreover, the same becomes more complicated during integration of security measures with agile software development methodology due to its lightweight informal nature. The requirements engineering is considered as one of the key element associated with any software development process. This motivates us to suggest a FLAMIRA model that provides seamless integration of security needs with software requirements in an iterative manner. In agile processes, requirements are recorded in the form of user stories developed jointly by customer’s representative and the development team. User stories are useful for agile processes as they define requirements using a low-cost, user centric and flexible approach. Keeping this aspect in mind we are integrating abuser stories for security requirements with user stories. FLAMIRA is a multi-layered model which shows us the path to be foll...
IEEE Access
Secure Patterns provides a solution for the security requirement of the software. There are a large number of secure patterns and it is quite difficult to choose an appropriate pattern. Moreover, selection of these patterns needs security knowledge, commonly developers are not specialized in the domain of security knowledge. This research can help in the selection of secure pattern on the basis of tradeoffs of the secure pattern using text categorization. A repository of secure design patterns is used as a dataset and a repository of requirements artifacts in the form of software requirements specification (SRS) are used for this research. A text categorization scheme which begins with preprocessing, indexing of secure patterns ends up by querying SRS features for retrieving secure design pattern using document retrieval model. For the evaluation of the proposed model, we have used three different domains SRS. These three SRS documents represent three different domains i.e. e-commerce, social media, and desktop utility program. A traditional precision and recall method along with F-measure used for evaluation of information/document retrieval model is used to evaluate the results. F-measure for 17 different design problems shows around 81% accuracy with recall up to 0.69%.
IJERT-Security Measures in Requirement Development Using Defense in Depth
International Journal of Engineering Research and Technology (IJERT), 2013
https://www.ijert.org/security-measures-in-requirement-development-using-defense-in-depth https://www.ijert.org/research/security-measures-in-requirement-development-using-defense-in-depth-IJERTV2IS80794.pdf Human utilizes the electronic machine-computer to minimize his work, which is safe and secure. Software engineering plays a major role in the entire upcoming field. Security is the main principles in all the process. Different principles are used to protect and secure the software process. Now-a-days software engineering processes are practiced with principles and techniques for efficient requirement gathering in the requirement phase. Various risks may occur during the development life cycle of software. To manage the risks, use of multiple defensive strategies are employed and the purpose of using the method helps us to protect if one layer of defense turns out to be inadequate, another layer of defense will, ideally, prevent a full breach. This paper deals with the defense in depth method in requirement development of requirement engineering phase to protect the details of a software process.
Proceedings of the 18th International Conference on Predictive Models and Data Analytics in Software Engineering
Security is getting substantial focus in many industries, especially safety-critical ones. When new regulations and standards which can run to hundreds of pages are introduced, it is necessary to identify the requirements in those documents which have an impact on security. Additionally, it is necessary to revisit the requirements of existing systems and identify the security related ones. We investigate the feasibility of using a classifier for security-related requirements trained on requirement specifications available online. We base our investigation on 15 requirement documents, randomly selected and partially pre-labelled, with a total of 3,880 requirements. To validate the model, we run a cross-project prediction on the data where each specification constitutes a group. We also test the model on three different United Nations (UN) regulations from the automotive domain with different magnitudes of security relevance. Our results indicate the feasibility of training a model from a heterogeneous data set including specifications from multiple domains and in different styles. Additionally, we show the ability of such a classifier to identify security requirements in real-life regulations and discuss scenarios in which such a classification becomes useful to practitioners. CCS CONCEPTS • Security and privacy → Software and application security.
Based on a Security Requirements Engineering Process
2010
Integration of security into the early stages of the system development is necessary to build secure systems. However, in the majority of software projects security is dealt with when the system has already been designed and put into operation. This paper will propose an approach called SREP (Security Requirements Engineering Process) for the development of secure software. We will present an iterative and incremental micro-process for the security requirements analysis that is repeatedly performed at each phase. It integrates the Common Criteria into the software lifecycle model as well as it is based on the reuse of security requirements, by providing a security resources repository. In brief, we will present an approach which deals with the security requirements at the early stages of software development in a systematic and intuitive way, and which also conforms to ISO/IEC 17799:2005.
Analysing Requirements to Detect Latent Security Vulnerabilities
2014 IEEE Eighth International Conference on Software Security and Reliability-Companion, 2014
To fully embrace the challenge of securing software, security concerns must be considered at the earliest stages of software development. Studies have shown that this reduces the time, cost and effort required to integrate security features into software during development. In this paper we describe a loophole analysis technique for uncovering potential vulnerabilities in software requirements specifications and describe its use using an example.