Applying a Security Domain Requirements Engineering Process for Software Product Lines

Security requirements management is especially important in software product lines, given that a weakness in security or a security breach can cause problems throughout all the products of a product line. The main contribution of this work is that of illustrating, by describing part of a real case study, a guided, systematic and intuitive way of dealing with security requirements from the early stages of the product line lifecycle by applying our proposed process of security requirements engineering for software product lines (SREPPLine), which makes it easier the variability and reusability management as well as the traceability relations of the security requirements in the product line. It is based on the use of the latest security requirements techniques, together with the integration of the Common Criteria (ISO/IEC 15408) and ISO/IEC 27001 controls, so that it facilitates the conformance of the product line and its products to the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408.

[1]  Sooyong Park,et al.  Goal and scenario based domain requirements analysis environment , 2006, J. Syst. Softw..

[2]  Jinx P. Walton Developing an enterprise information security policy , 2002, SIGUCCS '02.

[3]  Mario Piattini,et al.  A Comparative Study of Proposals for Establishing Security Requirements for the Development of Secure Information Systems , 2006, ICCSA.

[4]  Ruth Breu,et al.  Security-critical system development with extended use cases , 2003, Tenth Asia-Pacific Software Engineering Conference, 2003..

[5]  Mario Piattini,et al.  Security Requirements Management in Software Product Line Engineering , 2008, ICETE.

[6]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[7]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[8]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[9]  John Mylopoulos,et al.  ST-tool: a CASE tool for security requirements engineering , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[10]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[11]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[12]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[13]  Haeng-Kon Kim,et al.  Automatic Translation Form Requirements Model into Use Cases Modeling on UML , 2005, ICCSA.

[14]  Mario Piattini,et al.  SREPPLine: Towards a Security Requirements Engineering Process for Software Product Lines , 2007, WOSIS.