Rethinking Security Requirements in RE Research Technical Report (original) (raw)

A systematic review of security requirements engineering

COMPUTER STANDARDS INTERFACES, 2010

One of the most important aspects in the achievement of secure software systems in the software development process is what is known as Security Requirements Engineering. However, very few reviews focus on this theme in a systematic, thorough and unbiased manner, that is, none of them perform a systematic review of security requirements engineering, and there is not, therefore, a sufficiently good context in which to operate. In this paper we carry out a systematic review of the existing literature concerning security requirements engineering in order to summarize the evidence regarding this issue and to provide a framework/background in which to appropriately position new research activities.

1 Security Requirements Engineering: A Survey

2008

Security has become a primary and prevalent concern for software systems. The past decade has witnessed a tremendous increase in not only the sheer number of attacks but also the ease with which attacks can be performed on systems. We believe that in order to protect a system against harm (intended or not), attention must be given to its requirements. Similar to other system properties and quality attributes, security must be considered from inception, in other words starting with requirements. Security is a nonfunctional requirement (NFR) that is increasingly critical in its importance, unique in its requirements, yet must still be integrated with all other functional and non-functional requirements and mapped into successful architectures, designs, and implementation. Similar to other nonfunctional requirements, the unique nature and demands of security make it difficult and often ineffective to specify security concerns using "general purpose " requirements methods. As ...

Security Requirements; The Strange Relationship Between Application and Security Requirements.

Security has taken a backseat to functional requirements and the costs have been high for this. The standard methodology of functional and non-functional requirements is not helping to solve this. When security is addressed in a functional requirement there is an assumption the development team has the correct level of security expertise and things are missed. At time security verification gets done at a later stage in development or even after release; causing costly fixes.

A Framework for Security Requirements Engineering

Proceedings of the 2006 …, 2006

This paper presents a framework for security requirements elicitation and analysis, based upon the construction of a context for the system and satisfaction arguments for the security of the system. One starts with enumeration of security goals based on assets in the system. These goals are used to derive security requirements in the form of constraints. The system context is described using a problem-centered notation, then this context is validated against the security requirements through construction of a satisfaction argument. The satisfaction argument is in two parts: a formal argument that the system can meet its security requirements, and a structured informal argument supporting the assumptions expressed in the formal argument. The construction of the satisfaction argument may fail, revealing either that the security requirement cannot be satisfied in the context, or that the context does not contain sufficient information to develop the argument. In this case, designers and architects are asked to provide additional design information to resolve the problems.

COMPARATIVE LITERATURE ANALYSIS ON SECURITY REQUIREMENTS ENGINEERING

Security Requirements Engineering is one of the most important parts of the software development lifecycle that assist the software developer in developing a quality cost effective software application. Security requirements are the non-functional requirements which must be considered early in the software development lifecycle with functional requirements. However, elicitation of effective and efficient security requirements is not an easy task. There are several security requirements engineering techniques. This paper presents a comparative literature analysis of several existing security requirements engineering approaches for the development of secure software application. We discuss each existing security requirements engineering approach. We also comparatively analyze existing security requirements engineering approaches according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities.

Security Requirements Engineering; State of the Art and Research Challenges

2008

In recent years software has faced a new challenge called security. The new idea in software security which has attracted the world's attention is to keep security in mind during development process. As requirements analysis plays an infrastructural role in this process, software security requirements would naturally be considered fundamental in secure software development. Stating peculiarities and deficiencies in security

Software Security Requirements Engineering: State of the Art

Communications in Computer and Information Science, 2015

Software Engineering has established techniques, methods and technology over two decades. However, due to the lack of understanding of software security vulnerabilities, we have not been so successful in applying software engineering principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security can not be just added after a system has been built and delivered to customers as seen in today's software applications. This keynote paper provides concise methods, techniques, and best practice requirements guidelines on software security and also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators.

Towards the Weaving of the Characteristics of Good Security Requirements

Lecture Notes in Computer Science, 2017

Over the past two decades, there has been a significant emphasis on the research work towards the amelioration within the discipline of security requirements engineering. Many researchers, international standards and organizations have come up with various methodologies to facilitate the elicitation and evaluation of security requirements. However, the task of deriving good quality requirements still remains challenging. One of the main reasons is that there is no consensus in defining what is a good and a bad requirement. The purpose of this paper is to provide with a survey of various quality characteristics of requirements proposed by various authors from different perspectives. Our survey analysis shows that there are a total of 20 distinctive characteristics that are defined in order to evaluate the quality aspects of requirements.

Applying a security requirements engineering process

2006

Nowadays, security solutions are mainly focused on providing security defences, instead of solving one of the main reasons for security problems that refers to an appropriate Information Systems (IS) design. In fact, requirements engineering often neglects enough attention to security concerns. In this paper it will be presented a case study of our proposal, called SREP (Security Requirements Engineering Process), which is a standard-centred process and a reuse-based approach which deals with the security requirements at the earlier stages of software development in a systematic and intuitive way by providing a security resources repository and by integrating the Common Criteria into the software development lifecycle. In brief, a case study is shown in this paper demonstrating how the security requirements for a security critical IS can be obtained in a guided and systematic way by applying SREP.