Security Requirements Management in Software Product Line Engineering

Security requirements engineering is both a central task and a critical success factor in product line development due to the complexity and extensive nature of product lines. However, most of the current product line practices in requirements engineering do not adequately address security requirements engineering. Therefore, in this chapter we will propose a security requirements engineering process (SREPPLine) driven by security standards and based on a security requirements decision model along with a security variability model to manage the variability of the artefacts related to security requirements. The aim of this approach is to deal with security requirements from the early stages of the product line development in a systematic way, in order to facilitate conformance with the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408.

[1]  Svein O. Hallsteinsen,et al.  A Software Product Line Reference Architecture for Security , 2006, Software Product Lines.

[2]  Eila Niemelä,et al.  Capturing quality requirements of product family architecture , 2007, Inf. Softw. Technol..

[3]  Timo Käkölä,et al.  Software Product Lines - Research Issues in Engineering and Management , 2006 .

[4]  José L. Arciniegas,et al.  Architecture Reasoning for Supporting Product Line Evolution: An Example on Security , 2006, Software Product Lines.

[5]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[6]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[7]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[8]  Mario Piattini,et al.  A Comparative Study of Proposals for Establishing Security Requirements for the Development of Secure Information Systems , 2006, ICCSA.

[9]  Bashar Nuseibeh,et al.  Using trust assumptions with security requirements , 2005, Requirements Engineering.

[10]  Jean-Marc Jézéquel,et al.  ≪UML≫ 2002 — The Unified Modeling Language , 2002, Lecture Notes in Computer Science.

[11]  Mario Piattini,et al.  Applying a Security Requirements Engineering Process , 2006, ESORICS.

[12]  Armin Eberlein,et al.  Aspect-oriented requirements engineering for software product lines , 2003, 10th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems, 2003. Proceedings..

[13]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[14]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[15]  Paul Clements,et al.  Software product lines - practices and patterns , 2001, SEI series in software engineering.

[16]  Klaus Pohl,et al.  Software Product Line Engineering , 2005 .

[17]  Dieter Gollmann,et al.  Computer Security - ESORICS 2006, 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings , 2006, ESORICS.

[18]  David Taniar,et al.  Computational Science and Its Applications - ICCSA 2006, International Conference, Glasgow, UK, May 8-11, 2006, Proceedings, Part I , 2006, ICCSA.

[19]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[20]  Andreas Birk,et al.  Challenges for Requirements Engineering and Management in Software Product Line Development , 2007, REFSQ.

[21]  Haralambos Mouratidis,et al.  Modelling security and trust with Secure Tropos , 2006 .

[22]  Mario Piattini,et al.  Towards security requirements management for software product lines: a security domain requirements engineering process , 2008, JISBD.

[23]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[24]  Klaus Pohl,et al.  Software Product Line Engineering - Foundations, Principles, and Techniques , 2005 .

[25]  Kyo Chul Kang,et al.  Feature-Oriented Domain Analysis (FODA) Feasibility Study , 1990 .

[26]  Ian Sommerville,et al.  Requirements Engineering: Processes and Techniques , 1998 .

[27]  Julio Cesar Sampaio do Prado Leite,et al.  On Non-Functional Requirements in Software Engineering , 2009, Conceptual Modeling: Foundations and Applications.

[28]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..