Security requirements patterns: understanding the science behind the art of pattern writing

Security requirements engineering ideally combines expertise in software security with proficiency in requirements engineering to provide a foundation for developing secure systems. However, security requirements are often inadequately understood and improperly specified, often due to lack of security expertise and a lack of emphasis on security during early stages of system development. Software systems often have common and recurrent security requirements in addition to system-specific security needs. Security requirements patterns can provide a means of capturing common security requirements while documenting the context in which a requirement manifests itself and the tradeoffs involved. The objective of this paper is to aid in understanding of the process for pattern development and provide considerations for writing effective security requirements patterns. We analyzed existing literature on software patterns, problem solving and cognition to outline the process for developing software patterns. We also reviewed strategies for specifying reusable security requirements and security requirements patterns. Our proposed considerations can aid pattern writers in capturing necessary contextual information when documenting security requirements patterns to facilitate application and integration of security requirements.

[1]  Lin Liu,et al.  Analysing security requirements patterns based on problems decomposition and composition , 2011, 2011 First International Workshop On Requirements Patterns.

[2]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[3]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[4]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[5]  Maria Riaz,et al.  On the Design of Empirical Studies to Evaluate Software Patterns : A Survey , 2012 .

[6]  Annie I. Antón,et al.  Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[7]  Jing Dong,et al.  A Review of Design Pattern Mining Techniques , 2009, Int. J. Softw. Eng. Knowl. Eng..

[8]  Norman L. Kerth,et al.  Using Patterns To Improve Our Architectural Vision , 1997, IEEE Softw..

[9]  Walter F. Tichy,et al.  A Controlled Experiment Comparing the Maintainability of Programs Designed with and without Design Patterns—A Replication in a Real Programming Environment , 2004, Empirical Software Engineering.

[10]  Gwendolyn L. Kolfschoten,et al.  Cognitive learning efficiency through the use of design patterns in teaching , 2010, Comput. Educ..

[11]  Martin Fowler,et al.  Patterns of Enterprise Application Architecture , 2002 .

[12]  Annie I. Antón,et al.  Precluding incongruous behavior by aligning software requirements with security and privacy policies , 2003, Inf. Softw. Technol..

[13]  Katharina Scheiter,et al.  The relation between design patterns and schema theory , 2008 .

[14]  John Sweller,et al.  Cognitive Load During Problem Solving: Effects on Learning , 1988, Cogn. Sci..

[15]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[16]  Matthias Jarke,et al.  Toward Reference Models of Requirements Traceability , 2001, IEEE Trans. Software Eng..

[17]  Pearl Brereton,et al.  Using Mapping Studies in Software Engineering , 2008, PPIG.

[18]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[19]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[20]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[21]  Jianwei Niu,et al.  On the design of empirical studies to evaluate software patterns: A survey , 2012 .

[22]  Laurie A. Williams,et al.  On the Effective Use of Security Test Patterns , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[23]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[24]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .

[25]  Jingwei Yang,et al.  Modelling Requirements Patterns with a Goal and PF Integrated Analysis Approach , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[26]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[27]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[28]  Martin Fowler,et al.  Analysis patterns - reusable object models , 1996, Addison-Wesley series in object-oriented software engineering.

[29]  Xavier Franch,et al.  Software requirement patterns , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[30]  Gerard G. Meszaros,et al.  MetaPatterns: A Pattern Language for Pattern Writing , 1996 .

[31]  Douglas C. Schmidt,et al.  Software patterns , 1996, CACM.

[32]  Bashar Nuseibeh,et al.  Risk and argument: A risk-based argumentation method for practical security , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[33]  Travis D. Breaux,et al.  Legally "reasonable" security requirements: A 10-year FTC retrospective , 2011, Comput. Secur..

[34]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[35]  Shahrul Azman Mohd. Noah,et al.  The Difficulties of Using Design Patterns among Novices: An Exploratory Study , 2007, 2007 International Conference on Computational Science and its Applications (ICCSA 2007).