Sure: secure and usable requirements engineering

Software security is increasingly important as technology and systems continue to evolve; however, it is too often addressed as an after thought in too many development efforts. While various approaches for security requirements engineering exist, many still lack in usability, usefulness, and understandability. Prior research has determined the need for a new approach that supports the specification of usable specification by a variety of stakeholders. We describe a new technique to engineering security requirements called SURE, Secure and Usable Requirements Engineering. This new approach supports non-security experts in specifying usable, useful, and understandable security requirements. To our knowledge, SURE is one of the few, if not the only, security requirements engineering approaches that enables the usefulness of security specifications past the requirements stage. Our approach supports the mapping of testing artifacts from the specified security requirements. In addition, we detail ASSURE, Automated Support for Secure and Usable Requirements Engineering, a system that implements SURE. ASSURE is an online collaborative environment that enables the specification of security requirements and their mapping into testing artifacts while providing user and project management support. In addition, we describe results from extensive usability and comparative studies of SURE and ASSURE. The usability studies evaluated the support for specifying security requirements, mapping testing artifacts, and dynamically updating artifacts. The comparative studies evaluated SURE specifications against existing specifications from one of our industrial partners as well as existing approaches. All of our studies showed very positive results. We conclude the dissertation with future directions and applications of the described research.