A maturity model for secure requirements engineering

Abstract Security is considered to be a critical software quality attribute. Tackling security at the requirements phase helps to avoid the need to rework secure software development issues. The aim of this paper is to develop a Requirements Engineering (RE) Security Maturity Model (RESMM) to assist software development organizations to better specify the requirements for secure software development. To achieve this objective, first, we conducted a systematic literature review (SLR) to identify the requirement practices for secure software development. Then we modified Sommerville's requirements engineering practices. We also conducted a questionnaire survey based on the identified security requirements practices. Next, the RESMM was built based on the results of the SLR, the modified Sommerville practices and feedback from the security practitioners. Finally, two case studies were conducted to assess RESMM. RESMM has 79 practices classified into 7 RE categories. The case study results show that RESMM has a clear structure and is easy to comprehend and use. In addition, the case study participants recommended that software organizations adopt RESMM. RESMM has the ability to identify the RE security maturity levels in software organizations. RESMM can also help software development organizations deliver secure software.

[1]  Abhinav Rastogi,et al.  Secure Coding: Building Security into the Software Development Life Cycle , 2004, Inf. Secur. J. A Glob. Perspect..

[2]  Jianping Li,et al.  An integrated risk measurement and optimization model for trustworthy software process management , 2012, Inf. Sci..

[3]  Mohamed Mejri,et al.  Formal specification and integration of distributed security policies , 2017, Comput. Lang. Syst. Struct..

[4]  Rajeev R. Raje,et al.  Analyzing and evaluating security features in software requirements , 2016 .

[5]  Bashar Nuseibeh,et al.  Deriving security requirements from crosscutting threat descriptions , 2004, AOSD '04.

[6]  Iman Tabatabaei Ardekani,et al.  Effects of software security on software development life cycle and related security issues , 2015 .

[7]  Rick Kazman,et al.  From requirements negotiation to software architecture decisions , 2005, Inf. Softw. Technol..

[8]  Ludovic Piètre-Cambacédès,et al.  A survey of approaches combining safety and security for industrial control systems , 2015, Reliab. Eng. Syst. Saf..

[9]  Mario Piattini,et al.  Secure information systems development - a survey and comparison , 2005, Comput. Secur..

[10]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[11]  Fergal McCaffery,et al.  A Process Framework for Global Software Engineering Teams , 2012, Inf. Softw. Technol..

[12]  Karl Cox,et al.  Empirical study of Sommerville and Sawyer's requirements engineering practices , 2009, IET Softw..

[13]  Anand R. Tripathi,et al.  Specification and verification of security requirements in a programming model for decentralized CSCW systems , 2007, TSEC.

[14]  Laurie A. Williams,et al.  DIGS: A Framework for Discovering Goals for Security Requirements Engineering , 2016, ESEM.

[15]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[16]  D. Ross Jeffery,et al.  An exploratory study of why organizations do not adopt CMMI , 2007, J. Syst. Softw..

[17]  Mark Aberdour A people-focused , 2022 .

[18]  Norita Md Norwawi,et al.  Systematic review of web application security development model , 2012, Artificial Intelligence Review.

[19]  Douglas L. Maskell,et al.  A technique for expressing IT security objectives , 2006, Inf. Softw. Technol..

[20]  Hassan El-Hadary,et al.  Capturing security requirements for software systems , 2014, Journal of advanced research.

[21]  Pearl Brereton,et al.  Evidence-Based Software Engineering and Systematic Reviews , 2015 .

[22]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[23]  Johannes Sametinger,et al.  Software security for small development teams: a case study , 2011, iiWAS '11.

[24]  Zhendong Ma,et al.  Towards a Secure SCRUM Process for Agile Web Application Development , 2017, ARES.

[25]  Eduardo Fernández-Medina,et al.  The practical application of a process for eliciting and designing security in web service systems , 2009, Inf. Softw. Technol..

[26]  Atsuo Hazeyama,et al.  A Case-based Management System for Secure Software Development Using Software Security Knowledge , 2015, KES.

[27]  Mohammad Alshayeb,et al.  A measurement framework for software product maturity assessment , 2019, J. Softw. Evol. Process..

[28]  Paolo Giorgini,et al.  Security requirements engineering via commitments , 2011, 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST).

[29]  Manoj Kumar,et al.  Modeling of security requirements for decision information systems , 2011, SOEN.

[30]  Eduardo B. Fernández,et al.  A comprehensive pattern-oriented approach to engineering security methodologies , 2015, Inf. Softw. Technol..

[31]  Ghassan Beydoun,et al.  Generic modelling of security awareness in agent based systems , 2013, Inf. Sci..

[32]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[33]  Humayun Zafar Human resource information systems: Information security concerns for organizations , 2013 .

[34]  Antònia Mas Picahaco,et al.  Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension , 2015, Comput. Secur..

[35]  Ian Sommerville,et al.  An empirical study of industrial requirements engineering process assessment and improvement , 2005, TSEM.

[36]  Paolo Falcarin,et al.  Measuring security requirements for software security , 2011, 2011 IEEE 10th International Conference on Cybernetic Intelligent Systems (CIS).

[37]  Zbigniew Kotulski,et al.  Cybersecurity education: Evolution of the discipline and analysis of master programs , 2018, Comput. Secur..

[38]  Ahmed Patel Formal methods, techniques and tools for secure and reliable applications , 2005, Comput. Stand. Interfaces.

[39]  Rafael M. Gasca,et al.  A Model-Driven engineering approach with diagnosis of non-conformance of security objectives in business process models , 2011, 2011 FIFTH INTERNATIONAL CONFERENCE ON RESEARCH CHALLENGES IN INFORMATION SCIENCE.

[40]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[41]  Barbara Kitchenham,et al.  Procedures for Performing Systematic Reviews , 2004 .

[42]  Pete Sawyer,et al.  Requirements Engineering: A Good Practice Guide , 1997 .

[43]  Eduardo B. Fernández,et al.  An extensible pattern-based library and taxonomy of security threats for distributed systems , 2014, Comput. Stand. Interfaces.

[44]  Haralambos Mouratidis,et al.  Empirical evaluation of a cloud computing information security governance framework , 2015, Inf. Softw. Technol..

[45]  Christian W. Probst,et al.  An extensible analysable system model , 2008, Inf. Secur. Tech. Rep..

[46]  S. Kanmani,et al.  A model based security requirements engineering framework applied for online trading system , 2011, 2011 International Conference on Recent Trends in Information Technology (ICRTIT).

[47]  David LeBlanc,et al.  Writing Secure Code , 2001 .

[48]  Gary McGraw Managing Software Security Risks , 2002, Computer.

[49]  Sajjad Mahmood,et al.  A Readiness Model for Security Requirements Engineering , 2018, IEEE Access.

[50]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[51]  Jaekwan Park,et al.  Implementation of cyber security for safety systems of nuclear facilities , 2016 .

[52]  Haralambos Mouratidis,et al.  When security meets software engineering: a case of modelling secure information systems , 2005, Inf. Syst..

[53]  Kristian Beckers,et al.  A catalog of security requirements patterns for the domain of cloud computing systems , 2014, SAC.

[54]  Lei Yin,et al.  A novel method of security requirements development integrated common criteria , 2010, 2010 International Conference On Computer Design and Applications.

[55]  Michael Howard,et al.  Building More Secure Software with Improved Development Processes , 2004, IEEE Secur. Priv..

[56]  Sajjad Mahmood,et al.  Exploring software security approaches in software development lifecycle: A systematic mapping study , 2017, Comput. Stand. Interfaces.

[57]  Jack Danahy Security & SDLC: The 'phasing-in' of security governance in the SDLC , 2008 .

[58]  Brian Henderson-Sellers,et al.  Project management capability levels: an empirical study , 2004, 11th Asia-Pacific Software Engineering Conference.

[59]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[60]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[61]  Haralambos Mouratidis,et al.  Towards the design of secure and privacy-oriented information systems in the cloud: Identifying the major concepts , 2014, Comput. Stand. Interfaces.

[62]  Chin-Feng Fan,et al.  Regulatory-based development processes for software security in nuclear safety systems , 2010 .

[63]  Alain Abran,et al.  A Software Maintenance Maturity Model (S3M): Measurement Practices at Maturity Levels 3 and 4 , 2009, SQM@CSMR.

[64]  Klaas-Jan Stol,et al.  Continuous software engineering: A roadmap and agenda , 2017, J. Syst. Softw..

[65]  Minhaj Ahmad Khan,et al.  A survey of security issues for cloud computing , 2016, J. Netw. Comput. Appl..

[66]  Mario Piattini,et al.  An engineering process for developing Secure Data Warehouses , 2009, Inf. Softw. Technol..

[67]  Issa Traoré,et al.  Application of contract-based security assertion monitoring framework for telecommunications software engineering , 2011, Math. Comput. Model..

[68]  Khaled Alghathbar Validating the enforcement of access control policies and separation of duty principle in requirement engineering , 2007, Inf. Softw. Technol..

[69]  John Viega Building security requirements with CLASP , 2005, SOEN.

[70]  Bashar Nuseibeh,et al.  Security requirements engineering: when anti-requirements hit the fan , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[71]  Fred Briggs,et al.  Software Security Challenges in Computing and Communications Environments , 2011 .

[72]  Diogo Proença,et al.  Maturity Models for Information Systems - A State of the Art , 2016 .

[73]  Haralambos Mouratidis,et al.  Secure Tropos framework for software product lines requirements engineering , 2014, Comput. Stand. Interfaces.

[74]  Marco Aiello,et al.  Deriving business processes with service level agreements from early requirements , 2011, J. Syst. Softw..

[75]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[76]  Atreyi Kankanhalli,et al.  Investigation of IS professionals' intention to practise secure development of applications , 2007, Int. J. Hum. Comput. Stud..

[77]  Hidehiko Tanaka,et al.  Identifying Security Aspects in Early Development Stages , 2008, 2008 Third International Conference on Availability, Reliability and Security.