System security requirements: A framework for early identification, specification and measurement of related software requirements

Abstract One of the responsibilities of developers is the early definition of non-functional requirements (NFR) at the system level and their related allocation as functional user requirements (FUR) at the software level. To identify some of the widely consensual security elements that could be used in a standards-based security framework, the security-related terminology and views from three sets of international standards (ECSS, IEEE and ISO) are analyzed and integrated. Next, the set of concepts adopted by ISO 19761 for describing software functionality at a lower level are introduced, thereby ensuring that the proposed framework is designed for measurement purposes as well. For the capture of security concepts, the proposed framework is designed using soft-goal interdependency graphs (SIG) and three main system NFR-security types: system availability, confidentiality and integrity. This standards-based system security framework at the function and service level can support software developers to derive such requirements in the early stages of the development process. Finally, an ATM example for the measurement of system security NFR allocated as software FUR within a service-oriented architecture (SOA) is presented.

[1]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[2]  Alain Abran,et al.  Non-Functional Requirements Size Measurement Method (NFSM) with COSMIC-FFP , 2007, IWSM/Mensura.

[3]  Hong Zhao,et al.  Data Security and Privacy Protection Issues in Cloud Computing , 2012, 2012 International Conference on Computer Science and Electronics Engineering.

[4]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[5]  Laurie A. Williams,et al.  Security requirements patterns: understanding the science behind the art of pattern writing , 2012, 2012 Second IEEE International Workshop on Requirements Patterns (RePa).

[6]  Gail-Joon Ahn,et al.  Detecting and Resolving Firewall Policy Anomalies , 2012, IEEE Transactions on Dependable and Secure Computing.

[7]  Alain Abran,et al.  Identification, specification and measurement, using international standards, of the system non functional requirements allocated to real-time embedded software , 2011 .

[8]  John Mylopoulos,et al.  A Requirements-Driven Development Methodology , 2001, CAiSE.

[9]  Per Runeson,et al.  Guidelines for conducting and reporting case study research in software engineering , 2009, Empirical Software Engineering.

[10]  Julio Cesar Sampaio do Prado Leite,et al.  On Non-Functional Requirements in Software Engineering , 2009, Conceptual Modeling: Foundations and Applications.

[11]  Daniel Gross,et al.  From Non-Functional Requirements to Design through Patterns , 2001, Requirements Engineering.

[12]  Alain Abran,et al.  Measurement of software requirements derived from system reliability requirements , 2010 .

[13]  Heinrich Hußmann,et al.  Towards understanding ATM security: a field study of real world ATM use , 2010, SOUPS.

[14]  Sai Peck Lee,et al.  A Consistent Approach for Prioritizing System Quality Attributes , 2013, 2013 14th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing.

[15]  John Mylopoulos,et al.  Requirements engineering for trust management: model, methodology, and reasoning , 2006, International Journal of Information Security.

[16]  Ross J. Anderson Liability and Computer Security: Nine Principles , 1994, ESORICS.

[17]  Elisa Bertino,et al.  A role-involved purpose-based access control model , 2012, Inf. Syst. Frontiers.

[18]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[19]  John Mylopoulos,et al.  Representing and Using Nonfunctional Requirements: A Process-Oriented Approach , 1992, IEEE Trans. Software Eng..

[20]  Lawrence Chung,et al.  Adaptable system/software architectures , 2004, J. Syst. Archit..

[21]  Khalid T. Al-Sarayreh,et al.  Towards A Requirements Model of System Security Using International Standards , 2015 .

[22]  Marie A. Wright Security controls in ATM systems , 1991 .

[23]  Haralambos Mouratidis,et al.  Secure Tropos framework for software product lines requirements engineering , 2014, Comput. Stand. Interfaces.

[24]  Henry M. Franken,et al.  Information security embedded in the design of telematics systems , 1997, Comput. Secur..

[25]  Hossein Saiedian,et al.  Requirements engineering: making the connection between the software developer and customer , 2000, Inf. Softw. Technol..

[26]  Alain Abran,et al.  A standards‐based model of system maintainability requirements , 2013, J. Softw. Evol. Process..

[27]  Jane Cleland-Huang,et al.  The Detection and Classification of Non-Functional Requirements with Application to Early Aspects , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[28]  Eric S. K. Yu,et al.  Dealing with change: An approach using non-functional requirements , 2005, Requirements Engineering.

[29]  Alain Abran,et al.  A standards-based reference framework for system portability requirements , 2013, Comput. Stand. Interfaces.