Systematically Developing Prevention, Detection, and Response Patterns for Security Requirements

The security community has established a number of knowledge sources, including security catalogues and controls, that capture security expertise and can support elicitation of security requirements. Providing additional guidance on how and when to leverage the security information available in the existing knowledge sources in the context of the given system can support security requirements engineering efforts. The objective of this research is to support analysts in identifying and specifying security requirements by developing and utilizing a systematic process for identifying security requirements patterns from existing knowledge sources. We document our process for systematically analyzing and synthesizing existing knowledge sources to identify a set of security requirements patterns that support a diverse set of security goals. We demonstrate the feasibility of our process by applying it to NIST Special Publication 800-53 to identify 35 security requirements patterns related to preventing, detecting and responding to security breaches. Our patterns can generate a broad set of technical security requirements by instantiating 131 different security requirements templates that are grouped in the 35 patterns. Our patterns capture the security context in which each pattern is applicable and the security-specific problem that is addressed, providing conceptual scaffolding around the knowledge abstracted in the security requirements patterns.

[1]  Laurie A. Williams,et al.  DIGS: A Framework for Discovering Goals for Security Requirements Engineering , 2016, ESEM.

[2]  Lin Liu,et al.  Analysing security requirements patterns based on problems decomposition and composition , 2011, 2011 First International Workshop On Requirements Patterns.

[3]  Laurie A. Williams,et al.  Security requirements patterns: understanding the science behind the art of pattern writing , 2012, 2012 Second IEEE International Workshop on Requirements Patterns (RePa).

[4]  Laurie A. Williams,et al.  Hidden in plain sight: Automatically identifying security requirements from natural language artifacts , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[5]  Barbara Paech,et al.  RePa Requirements Pattern Template , 2012 .

[6]  Laurie A. Williams,et al.  A grounded analysis of experts' decision-making during security assessments , 2016, J. Cybersecur..

[7]  Xavier Franch,et al.  Software requirement patterns , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[8]  A. Viera,et al.  Understanding interobserver agreement: the kappa statistic. , 2005, Family medicine.

[9]  Isabelle Comyn-Wattiau,et al.  Reusable knowledge in security requirements engineering: a systematic mapping study , 2015, Requirements Engineering.

[10]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .

[11]  Norman L. Kerth,et al.  Using Patterns To Improve Our Architectural Vision , 1997, IEEE Softw..

[12]  Peter Liggesmeyer,et al.  Instantiating a model for structuring and reusing security requirements sources , 2015, 2015 IEEE 2nd Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[13]  Kristian Beckers,et al.  A catalog of security requirements patterns for the domain of cloud computing systems , 2014, SAC.

[14]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[15]  Eduardo B. Fernandez,et al.  Systematic mapping of security patterns research , 2015 .

[16]  Stephen Withall Software Requirement Patterns , 2007 .

[17]  Laurie A. Williams,et al.  How have we evaluated software pattern application? A systematic mapping study of research design practices , 2015, Inf. Softw. Technol..

[18]  Laurie A. Williams,et al.  To log, or not to log: using heuristics to identify mandatory log events – a controlled experiment , 2017, Empirical Software Engineering.

[19]  Jan Jürjens,et al.  Enhancing security requirements engineering by organizational learning , 2012, Requirements Engineering.

[20]  John Mylopoulos,et al.  Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos Methodology , 2010, Advances in Intelligent Information Systems.

[21]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[22]  Laurie A. Williams,et al.  Using templates to elicit implied security requirements from functional requirements - a controlled experiment , 2014, ESEM '14.

[23]  Laurie A. Williams,et al.  Towards a framework to measure security expertise in requirements analysis , 2014, 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[24]  Laurie A. Williams,et al.  Identifying the implied: Findings from three differentiated replications on the use of security requirements templates , 2016, Empirical Software Engineering.

[25]  Annie I. Antón,et al.  A legal cross-references taxonomy for reasoning about compliance requirements , 2012, Requirements Engineering.