Survey and analysis on Security Requirements Engineering

Security Requirements Engineering is a new research area in software engineering, with the realization that security must be analyzed early during the requirements phase. Many researchers are working in this area; however, there is a lack in security requirements treatment. The security requirements are one of the non-functional requirements, which act as constraints on functions of the system. Organizations are depending on information systems for communicating and sharing information. Thus, IT security is becoming central in fulfilling business goals, to guard assets and to create trustworthy systems. To develop systems with adequate security features, it is essential to capture the security requirements. In this paper, we present a view on Security Requirements, issues, types, Security Requirements Engineering (SRE) and methods. We analyzed and compared different methods and found that SQUARE and Security Requirements Engineering Process methods cover most of the important activities of SRE. The developers can adopt these SRE methods and easily identify the security requirements for software systems.

[1]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[2]  Constance L. Heitmeyer,et al.  Software Cost Reduction , 2002 .

[3]  Bashar Nuseibeh,et al.  Core Security Requirements Artefacts , 2004 .

[4]  Gunnar Peterson,et al.  Collaboration in a Secure Development Process Part 2 , 2004 .

[5]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[6]  Martin Gilje Jaatun,et al.  Beyond lightning: A survey on security challenges in cloud computing , 2013, Comput. Electr. Eng..

[7]  Chin-Chen Chang,et al.  An on-line electronic check system with mutual authentication , 2009, Comput. Electr. Eng..

[8]  Michael Weiss,et al.  Modelling Security Patterns Using NFR Analysis , 2007 .

[9]  J. D. Meier Web application security engineering , 2006, IEEE Security & Privacy.

[10]  Peter Torr,et al.  Demystifying the threat modeling process , 2005, IEEE Security & Privacy Magazine.

[11]  Ibrahim M. Alabdulmohsin,et al.  Techniques and algorithms for access control list optimization , 2009, Comput. Electr. Eng..

[12]  Bashar Nuseibeh,et al.  Security requirements engineering: when anti-requirements hit the fan , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[13]  William N. Robinson,et al.  Requirements interaction management , 2003, CSUR.

[14]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[15]  Hung-Yu Lin Security and authentication in PCS , 1999 .

[16]  Mario Piattini,et al.  Security patterns and requirements for internet-based applications , 2006, Internet Res..

[17]  Raphael C.-W. Phan,et al.  Attribution of attack trees , 2011, Comput. Electr. Eng..

[18]  Herbert H. Thompson Application Penetration Testing , 2005, IEEE Secur. Priv..

[19]  Philippe Kruchten,et al.  Extending XP practices to support security requirements engineering , 2006, SESS '06.

[20]  Axel van Lamsweerde,et al.  Managing Conflicts in Goal-Driven Requirements Engineering , 1998, IEEE Trans. Software Eng..

[21]  Xiaoyun Wang,et al.  Public key encryption without random oracle made truly practical , 2012, Comput. Electr. Eng..

[22]  John J. Marciniak,et al.  Encyclopedia of Software Engineering , 1994, Encyclopedia of Software Engineering.

[23]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[24]  Kenneth R. van Wyk,et al.  Bridging the Gap between Software Development and Information Security , 2005, IEEE Secur. Priv..

[25]  Zuhua Shao,et al.  Enhanced Certificate-Based Encryption from pairings , 2011, Comput. Electr. Eng..

[26]  Haralambos Mouratidis,et al.  Modelling security and trust with Secure Tropos , 2006 .

[27]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[28]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[29]  Bashar Nuseibeh,et al.  Arguing Satisfaction of Security Requirements , 2008 .

[30]  June M. Verner,et al.  Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, October 17–19, 1989 , 1990 .

[31]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[32]  Gary McGraw,et al.  Building Secure Software : ソフトウェアセキュリティについて開発者が知っているべきこと , 2006 .

[33]  Haralambos Mouratidis,et al.  When security meets software engineering: a case of modelling secure information systems , 2005, Inf. Syst..

[34]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[35]  Axelle Apvrille,et al.  Secure software development by example , 2005, IEEE Security & Privacy Magazine.

[36]  Eduardo B. Fernández,et al.  A Methodology for Secure Software Design , 2004, Software Engineering Research and Practice.