STORE: Security Threat Oriented Requirements Engineering Methodology

Abstract As we are continuously depending on information technology applications by adopting electronic channels and software applications for our business, online transaction and communication, software security is increasingly becoming a necessity and more advanced concern. Both the functional and non-functional requirements are important and provide the necessary needs at the early phases of the software development process, specifically in the requirement phase. The aim of this research is to identify security threats early in the software development process to help the requirement engineer elicit appropriate security requirements in a more systematic manner throughout the requirement engineering process to ensure a secure and quality software development. This article proposes the STORE methodology for security requirement elicitation based on security threats analysis, which includes the identification of four points: PoA, PoB, PoC and PoD for effective security attack analysis. Further, the proposed STORE methodology is also validated by a case study of an ERP System. We also compare our STORE methodology with two existing techniques, namely, SQUARE and MOSRE. We have shown that more effective and efficient security requirements can be elicited by the STORE methodology and that it helps the security requirement engineer to elicit security requirements in a more organized manner.

[1]  William Yurcik,et al.  Threat Modeling as a Basis for Security Requirements , 2005 .

[2]  Volker Gruhn,et al.  An Effective Security Requirements Engineering Framework for Cyber-Physical Systems , 2018, Technologies.

[3]  Robin A. Gandhi,et al.  Building problem domain ontology from security requirements in regulatory documents , 2006, SESS '06.

[4]  Ruth Breu,et al.  Security-critical system development with extended use cases , 2003, Tenth Asia-Pacific Software Engineering Conference, 2003..

[5]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[6]  Hassan El-Hadary,et al.  Capturing security requirements for software systems , 2014, Journal of advanced research.

[7]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[8]  Elisabeth J. Umble,et al.  Enterprise resource planning: Implementation procedures and critical success factors , 2003, Eur. J. Oper. Res..

[9]  S. Kanmani,et al.  Elicitation of Security requirements for E-Health system by applying Model Oriented Security Requirements Engineering (MOSRE) Framework , 2012, CCSEIT '12.

[10]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[11]  Eric S. K. Yu,et al.  Towards modelling and reasoning support for early-phase requirements engineering , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[12]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[13]  Dimitris Gritzalis,et al.  Towards an Ontology-based Security Management , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[14]  Mohammad Zulkernine,et al.  Software Security Engineering: Towards Unifying Software Engineering and Security Engineering , 2009 .

[15]  Axel van Lamsweerde,et al.  Goal-Oriented Requirements Engineering: A Guided Tour , 2001, RE.

[16]  Sven Türpe,et al.  The Trouble with Security Requirements , 2017, 2017 IEEE 25th International Requirements Engineering Conference (RE).

[17]  Albin Zuccato,et al.  Holistic security requirement engineering for electronic commerce , 2004, Comput. Secur..

[18]  Abdullah S. Al-Mudimigh,et al.  ERP implementation: lessons from a case study , 2003, Inf. Technol. People.

[19]  Mohamed Eltoweissy,et al.  Formal analysis and design for engineering security automated derivation of formal software security specifications from goal-oriented security requirements , 2010, IET Softw..

[20]  Dhirendra Pandey,et al.  Risks, Security, and Privacy for HIV/AIDS Data: Big Data Perspective , 2018 .

[21]  Edward Amoroso Recent Progress in Software Security , 2018, IEEE Software.

[22]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[23]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[24]  Young-Gul Kim,et al.  The critical success factors for ERP implementation: an organizational fit perspective , 2002, Inf. Manag..

[25]  Paolo Giorgini,et al.  Modelling and reasoning about security requirements in socio-technical systems , 2015, Data Knowl. Eng..

[26]  Galal H. Galal-Edeen,et al.  Stakeholder identification in the requirements engineering process , 1999, Proceedings. Tenth International Workshop on Database and Expert Systems Applications. DEXA 99.

[27]  Fabio Massacci,et al.  Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation , 2005, Comput. Stand. Interfaces.

[28]  John Mylopoulos,et al.  Requirements engineering for trust management: model, methodology, and reasoning , 2006, International Journal of Information Security.

[29]  Byoungju Choi,et al.  A CC-based security engineering process evaluation model , 2003, Proceedings 27th Annual International Computer Software and Applications Conference. COMPAC 2003.

[30]  S. Kanmani,et al.  Model Oriented Security Requirements Engineering (MOSRE) Framework for Web Applications , 2012, ACITY.

[31]  Amani S. Ibrahim,et al.  Collaboration-Based Cloud Computing Security Management Framework , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[32]  Dan Gordon,et al.  System Quality Requirements Engineering (SQUARE): Case Study on Asset Management System, Phase II , 2005 .

[33]  Ian Sommerville,et al.  Requirements Engineering: Processes and Techniques , 1998 .

[34]  Dhirendra Pandey,et al.  An Integration of Threat Modeling with Attack Pattern and Misuse Case for Effective Security Requirement Elicitation , 2017 .

[35]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[36]  David A. Basin,et al.  Model driven security for process-oriented systems , 2003, SACMAT '03.

[37]  Mohammad Zulkernine,et al.  Intrusion detection aware component-based systems: A specification-based framework , 2007, J. Syst. Softw..

[38]  D.G. Firesmith Engineering safety-related requirements for software-intensive systems , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[39]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[40]  Ilia Bider,et al.  Enterprise, Business-Process and Information Systems Modeling , 2014, Lecture Notes in Business Information Processing.

[41]  John Mylopoulos,et al.  An Architecture for Requirements-Driven Self-reconfiguration , 2009, CAiSE.

[42]  Shamal Faily Engaging stakeholders during late stage security design with assumption personas , 2015, Inf. Comput. Secur..

[43]  Douglas A. Ashbaugh Cissp Security Software Development: Assessing and Managing Security Risks , 2008 .

[44]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[45]  Axel van Lamsweerde Engineering Requirements for System Reliability and Security , 2007 .

[46]  Donald Firesmith Engineering safety-related requirements for software-intensive systems , 2005, ICSE.

[47]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[48]  Laurie A. Williams,et al.  DIGS: A Framework for Discovering Goals for Security Requirements Engineering , 2016, ESEM.

[49]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[50]  Martin S. Olivier Database privacy: balancing confidentiality, integrity and availability , 2002, SKDD.

[51]  Michael Eonsuk Shin,et al.  Software requirements and architecture modeling for evolving non-secure applications into secure applications , 2007, Sci. Comput. Program..

[52]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[53]  Axel van Lamsweerde,et al.  Requirements engineering in the year 00: a research perspective , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[54]  August-Wilhelm Scheer,et al.  Enterprise resource planning: making ERP a success , 2000, CACM.

[55]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[56]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[57]  Abdullah S. Al-Mudimigh,et al.  Enterprise resource planning: A taxonomy of critical factors , 2003, Eur. J. Oper. Res..

[58]  John Viega Building security requirements with CLASP , 2005, SOEN.

[59]  Peter Herrmann,et al.  Security requirement analysis of business processes , 2006, Electron. Commer. Res..

[60]  Roel Wieringa,et al.  Guest Editors' Introduction: Stakeholders in Requirements Engineering , 2007, IEEE Software.

[61]  Mark N. Frolick,et al.  Stakeholder Influence and ERP Implementation in Higher Education , 2008 .

[62]  Anthony Finkelstein,et al.  Multi-Party Specification , 1989 .

[63]  Johan Peeters Agile Security Requirements Engineering , 2005 .

[64]  HaleyCharles,et al.  Security Requirements Engineering , 2008 .

[65]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[66]  Thomas Santen,et al.  Contextualizing Security Goals: A Method for Multilateral Security Requirements Elicitation , 2006, Sicherheit.

[67]  Raian Ali,et al.  A Goal Modeling Framework for Self-contextualizable Software , 2009, BMMDS/EMMSAD.

[68]  Donald Firesmith,et al.  Engineering Safety Requirements, Safety Constraints, and Safety-Critical Requirements , 2004, J. Object Technol..

[69]  Sajjad Mahmood,et al.  A Readiness Model for Security Requirements Engineering , 2018, IEEE Access.