Getting Grip on Security Requirements Elicitation by Structuring and Reusing Security Requirements Sources

This paper presents a model for structuring and reusing security requirements sources. The model serves as blueprint for the development of an organization-specific repository, which provides relevant security requirements sources, such as security information and knowledge sources and relevant compliance obligations, in a structured and reusable form. The resulting repository is intended to be used by development teams during the elicitation and analysis of security requirements with the goal to understand the security problem space, incorporate all relevant requirements sources, and to avoid unnecessary effort for identifying, understanding, and correlating applicable security requirements sources on a project-wise basis. We start with an overview and categorization of important security requirements sources, followed by the description of the generic model. To demonstrate the applicability and benefits of the model, the instantiation approach and details of the resulting repository of security requirements sources are presented.

[1]  Ian Sommerville,et al.  Requirements Engineering: Processes and Techniques , 1998 .

[2]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2000, Proceedings 37th International Conference on Technology of Object-Oriented Languages and Systems. TOOLS-Pacific 2000.

[3]  Peter Liggesmeyer,et al.  Implications of the Operational Environmental on Software Security Requirements Engineering , 2014, WOSIS.

[4]  Sebastian Klipper,et al.  ISO/IEC 27005 , 2011 .

[5]  Isabelle Comyn-Wattiau,et al.  Ontologies for Security Requirements: A Literature Survey and Classification , 2012, CAiSE Workshops.

[6]  Sebastian Abeck,et al.  Towards a Reuse-oriented Security Engineering for Web-based Applications and Services , 2012, ICIW 2012.

[7]  A. Opdahl,et al.  A Reuse-Based Approach to Determining Secur ity Requirements , 2003 .

[8]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[9]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[10]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[11]  S. Kanmani,et al.  Survey and analysis on Security Requirements Engineering , 2012, Comput. Electr. Eng..

[12]  Bashar Nuseibeh,et al.  Weaving Together Requirements and Architectures , 2001, Computer.

[13]  Philippe Kruchten,et al.  Extending XP practices to support security requirements engineering , 2006, SESS '06.

[14]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[15]  Gary McGraw,et al.  Knowledge for Software Security , 2005, IEEE Secur. Priv..

[16]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[17]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[18]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[19]  Joint Task Force Recommended Security Controls for Federal Information Systems and Organizations , 2009 .

[20]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[21]  Gregory D. Schumacher,et al.  IEEE Guide for Developing System Requirements Specifications , 1999 .

[22]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[23]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[24]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[25]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[26]  Michael A. Jackson,et al.  Problem Frames - Analysing and Structuring Software Development Problems , 2000 .

[27]  John Wilander,et al.  Security Requirements---A Field Study of Current Practice , 2005 .

[28]  Peter Liggesmeyer,et al.  A Model for Structuring and Reusing Security Requirements Sources and Security Requirements , 2015, REFSQ Workshops.

[29]  J. D. Meier Web application security engineering , 2006, IEEE Security & Privacy.

[30]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[31]  Bashar Nuseibeh,et al.  Weaving the Software Development Process Between Requirements and Architectures , 2001 .

[32]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[33]  Lin Liu,et al.  Security Requirements Engineering in the Wild: A Survey of Common Practices , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference.

[34]  William Yurcik,et al.  Threat Modeling as a Basis for Security Requirements , 2005 .

[35]  Haralambos Mouratidis,et al.  A Natural Extension of Tropos Methodology for Modelling Security , 2002 .

[36]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[37]  Robert Balzer,et al.  On the inevitable intertwining of specification and implementation , 1982, CACM.

[38]  Haralambos Mouratidis,et al.  Guest editorial: security requirements engineering: past, present and future , 2009, Requirements Engineering.