Security requirements engineering-the reluctant oxymoron

Security is a focus in many systems that are developed today, yet this aspect of systems development is often relegated when the shipping date for a software product looms. This leads to problems post-implementation in terms of patches required to fix security defects or vulnerabilities. A simplistic answer is that if the code was correct in the first instance, then vulnerabilities would not exist. The reality of a complex software artefact is however, driven by other concerns. Rather than probing programs for coding errors that lead to vulnerabilities, it is perhaps more beneficial to look at the root causes of how and why vulnerabilities come to exist in software. This paper explores the reasons why this might be so, uses two simple case studies to illustrate the effects of failing to specify requirements correctly and suggests that software development methods that build in security concerns at the beginning of a project might be the way forward.

[1]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[2]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[3]  Bradley S. Rubin,et al.  Computer Security Education and Research: Handle with Care , 2006, IEEE Security & Privacy.

[4]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[5]  David Graham Wastell,et al.  The fetish of technique: methodology as a social defence , 1996, Inf. Syst. J..

[6]  Ian Sommerville,et al.  Requirements Engineering: Processes and Techniques , 1998 .

[7]  Frederick P. Brooks,et al.  No Silver Bullet: Essence and Accidents of Software Engineering , 1987 .

[8]  Ed Downs,et al.  Structured systems analysis and design method: application and context , 1988 .

[9]  Deborah A. Frincke,et al.  Who Watches the Security Educators? , 2003, IEEE Secur. Priv..

[10]  De WinBart,et al.  On the secure software development process , 2009 .

[11]  D. Saunders The brave new world , 1999 .

[12]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[13]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[14]  J. Oberg,et al.  Why the Mars probe [accident investigation] , 1999 .

[15]  Enid Mumford,et al.  Review: Understanding and Evaluating Methodologies , 1995 .

[16]  Elfriede Dustin,et al.  The Art of Software Security Testing: Identifying Software Security Flaws , 2006 .

[17]  Kalle Lyytinen,et al.  The Brave New World of development in the internetwork computing architecture (InterNCA): or how distributed computing platforms will change systems development , 1998, Inf. Syst. J..

[18]  Kent L. Beck,et al.  Extreme programming explained - embrace change , 1990 .

[19]  Ian Sommerville,et al.  Software engineering (6th ed.) , 2001 .

[20]  John Viega Building security requirements with CLASP , 2005, SOEN.

[21]  Michael A. Cusumano What road ahead for Microsoft and Windows? , 2006, CACM.

[22]  Melissa Dark,et al.  Teaching Students to Design Secure Systems , 2003, IEEE Secur. Priv..

[23]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.