A common criteria based security requirements engineering process for the development of secure information systems

In order to develop security critical Information Systems, specifying security quality requirements is vitally important, although it is a very difficult task. Fortunately, there are several security standards, like the Common Criteria (ISO/IEC 15408), which help us handle security requirements. This article will present a Common Criteria centred and reuse-based process that deals with security requirements at the early stages of software development in a systematic and intuitive way, by providing a security resources repository as well as integrating the Common Criteria into the software lifecycle, so that it unifies the concepts of requirements engineering and security engineering.

[1]  Albin Zuccato,et al.  Holistic security requirement engineering for electronic commerce , 2004, Comput. Secur..

[2]  Mario Piattini,et al.  A Comparative Study of Proposals for Establishing Security Requirements for the Development of Secure Information Systems , 2006, ICCSA.

[3]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[4]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[5]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[6]  Fabio Massacci,et al.  Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation , 2005, Comput. Stand. Interfaces.

[7]  Ivar Jacobson,et al.  The Unified Software Development Process , 1999 .

[8]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[9]  Ruth Breu,et al.  Towards a Systematic Development of Secure Systems , 2004, Inf. Secur. J. A Glob. Perspect..

[10]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[11]  Bashar Nuseibeh,et al.  Weaving Together Requirements and Architectures , 2001, Computer.

[12]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[13]  Stephen H. Kam,et al.  Integrating the Common Criteria into the Software Engineering Lifecycle , 2005, CIbSE.

[14]  Byoungju Choi,et al.  A CC-based security engineering process evaluation model , 2003, Proceedings 27th Annual International Computer Software and Applications Conference. COMPAC 2003.

[15]  Klaus Pohl,et al.  Sixth International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ”00) , 2001, Requirements Engineering.

[16]  Ruth Breu,et al.  Security-critical system development with extended use cases , 2003, Tenth Asia-Pacific Software Engineering Conference, 2003..

[17]  Ian Sommerville,et al.  Requirements Engineering: Processes and Techniques , 1998 .

[18]  A. Opdahl,et al.  A Reuse-Based Approach to Determining Secur ity Requirements , 2003 .

[19]  Eugene Miya,et al.  On "Software engineering" , 1985, SOEN.

[20]  Jacob L. Cybulski,et al.  Requirements Classification and Reuse: Crossing Domain Boundaries , 2000, ICSR.