Security Requirements for the Rest of Us: A Survey

Most software developers aren't primarily interested in security. For decades, the focus has been on implementing as much functionality as possible before the deadline, and patching the inevitable bugs when it's time for the next release or hot fix. However, the software engineering community is slowly beginning to realize that information security is also important for software whose primary function isn't related to security. Security features or mechanisms typically aren't prominent in such software's user interface.

[1]  Howard Chivers Information Modeling for Automated Risk Analysis , 2006, Communications and Multimedia Security.

[2]  NcubeCornelius,et al.  Opportunistic Software Systems Development , 2008 .

[3]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[4]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[5]  J. D. Meier Web application security engineering , 2006, IEEE Security & Privacy.

[6]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[7]  Denis Verdon Security policies and the software developer , 2006, IEEE Security & Privacy.

[8]  John Mylopoulos,et al.  From object-oriented to goal-oriented requirements analysis , 1999, CACM.

[9]  Kenneth R. van Wyk,et al.  Bridging the Gap between Software Development and Information Security , 2005, IEEE Secur. Priv..

[10]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[11]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[12]  R. Power CSI/FBI computer crime and security survey , 2001 .

[13]  ChungLawrence,et al.  From object-oriented to goal-oriented requirements analysis , 1999 .

[14]  Vidar Kongsli Towards agile security in web applications , 2006, OOPSLA '06.

[15]  Peter Torr,et al.  Demystifying the threat modeling process , 2005, IEEE Security & Privacy Magazine.

[16]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[17]  Johan Peeters Agile Security Requirements Engineering , 2005 .

[18]  Lillian. Rostad An extended misuse case notation: Including vulnerabilities and the insider threat , 2006 .

[19]  Philippe Kruchten,et al.  Extending XP practices to support security requirements engineering , 2006, SESS '06.

[20]  Michael Jackson,et al.  Problem frame semantics for software development , 2005, Software & Systems Modeling.

[21]  James F. Davis The affordable application of formal methods to software engineering , 2005 .

[22]  Haralambos Mouratidis,et al.  When security meets software engineering: a case of modelling secure information systems , 2005, Inf. Syst..

[23]  Axelle Apvrille,et al.  Secure software development by example , 2005, IEEE Security & Privacy Magazine.

[24]  Eduardo B. Fernández,et al.  A Methodology for Secure Software Design , 2004, Software Engineering Research and Practice.

[25]  Gunnar Peterson,et al.  Collaboration in a Secure Development Process Part 2 , 2004 .

[26]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[27]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[28]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[29]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[30]  Steven Furnell,et al.  Why users cannot use security , 2005, Comput. Secur..

[31]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[32]  Lawrence Chung,et al.  Dealing with Non-Functional Requirements: Three Experimental Studies of a Process-Oriented Approach , 1995, 1995 17th International Conference on Software Engineering.

[33]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.