Automated Support for Security Requirements Engineering in Software Product Line Domain Engineering

Security and requirements engineering are one of the most important factor of success in the development of a software product line due to the complexity and extensive nature of them, given that a weakness in security can cause problems throughout all the products of a product line. However, without a CARE (Computer-Aided Requirements Engineering) tool, the application of any security requirements engineering process or methodology is much more difficult because it has to be manually performed. Therefore, in this paper, we will present a prototype of SREPPLineTool, which provides automated support to facilitate the application of the security quality requirements engineering process for software product lines, SREPPLine. SREPPLineTool simplifies the management of security requirements in product lines by providing us with a guided, systematic and intuitive way to deal with them from the early phases of product lines development, simplifying the management and the visualization of the artefacts variability and traceability links and the integration of the security standards, as well as the management of the security reference model proposed by SREPPLine. Finally we shall illustrate the application of SREPPLineTool by describing a simple example as a preliminary validation of it

[1]  Mario Piattini,et al.  A comparison of the Common Criteria with proposals of information systems security requirements , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[2]  Andreas Birk,et al.  Challenges for Requirements Engineering and Management in Software Product Line Development , 2007, REFSQ.

[3]  Paul Clements,et al.  Software product lines - practices and patterns , 2001, SEI series in software engineering.

[4]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[5]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[6]  A. Berztiss,et al.  Requirements Engineering , 2002, J. Object Technol..

[7]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[8]  Mario Piattini,et al.  Security Requirements Variability for Software Product Lines , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[9]  Andreas L. Opdahl,et al.  Experimental comparison of attack trees and misuse cases for security threat identification , 2009, Inf. Softw. Technol..

[10]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[11]  Kim-Kwang Raymond Choo,et al.  Future directions in technology-enabled crime: 2007-09 , 2008 .

[12]  John Mylopoulos,et al.  ST-tool: a CASE tool for security requirements engineering , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[13]  Mario Piattini,et al.  Towards security requirements management for software product lines: a security domain requirements engineering process , 2008, JISBD.

[14]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[15]  Yijun Yu,et al.  Automated Analysis of Permission-Based Security Using UMLsec , 2008, FASE.

[16]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[17]  Klaus Pohl,et al.  Software Product Line Engineering , 2005 .

[18]  John Mylopoulos,et al.  Requirements Engineering Meets Trust Management: Model, Methodology, and Reasoning , 2004, iTrust.