Performance analysis of security requirements engineering framework by measuring the vulnerabilities

To develop security critical web applications, specifying security requirements is important, since 75% to 80% of all attacks happen at the web application layer. We adopted security requirements engineering methods to identify security requirements at the early stages of software development life cycle so as to minimize vulnerabilities at the later phases. In this paper, we present the evaluation of Model Oriented Security Requirements Engineering (MOSRE) framework and Security Requirements Engineering Framework (SREF) by implementing the identified security requirements of a web application through each framework while developing respective web application. We also developed a web application without using any of the security requirements engineering method in order to prove the importance of security requirements engineering phase in software development life cycle. The developed web applications were scanned for vulnerabilities using the web application scanning tool. The evaluation was done in two phases of software development life cycle: requirements engineering and testing. From the results, we observed that the number of vulnerabilities detected in the web application developed by adopting MOSRE framework is less, when compared to the web applications developed adopting SREF and without using any security requirements engineering method. Thus, this study led the requirements engineers to use MOSRE framework to elicit security requirements efficiently and also trace security requirements from requirements engineering phase to later phases of software development life cycle for developing secure web applications.

[1]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[2]  S. Kanmani,et al.  Security Based Requirements Engineering for E-Voting System , 2013 .

[3]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[4]  Xiang Fu,et al.  A Static Analysis Framework For Detecting SQL Injection Vulnerabilities , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[5]  Nik Thompson Analysis of an Electronic Voting System , 2014 .

[6]  Nora Koch,et al.  Requirements Engineering for Web Applications - A Comparative Study , 2004, J. Web Eng..

[7]  Lidia Fuentes,et al.  Designing and Weaving Aspect-Oriented Executable UML Models , 2007, J. Object Technol..

[8]  Davor Svetinovic,et al.  Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure , 2012, Requirements Engineering.

[9]  Maurizio Sebastianis,et al.  Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[10]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[11]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[12]  Nora Koch,et al.  The Expressive Power of UML-based Web Engineering1 , 2002 .

[13]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[14]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[15]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[16]  D. Jefferson,et al.  Security analysis of SERVE 1 A Security Analysis of the Secure Electronic Registration and Voting Experiment ( SERVE ) , 2004 .

[17]  Pierluigi Roberti,et al.  Security Requirements Engineering with STS-Tool , 2014, Secure and Trustworthy Service Composition.

[18]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[19]  Jan Jürjens,et al.  From goal‐driven security requirements engineering to secure design , 2010, Int. J. Intell. Syst..

[20]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[21]  L. Cranor,et al.  Security Considerations for Remote Electronic Voting over the Internet , 2002 .

[22]  Usha Subramaniam,et al.  A biometric based secure session key agreement using modified elliptic curve cryptography , 2015, Int. Arab J. Inf. Technol..

[23]  S. Kanmani,et al.  Evaluating Security Requirements Engineering Framework for Web Applications , 2009 .

[24]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[25]  Gregory A. Witte,et al.  The National Vulnerability Database (NVD): Overview | NIST , 2013 .

[26]  Aggelos Kiayias,et al.  An Internet Voting System Supporting User Privacy , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[27]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[28]  Nazife Baykal,et al.  Attack tree based information security risk assessment method integrating enterprise objectives with vulnerabilities , 2013, Int. Arab J. Inf. Technol..

[29]  S. Kanmani,et al.  Model Oriented Security Requirements Engineering (MOSRE) Framework for Web Applications , 2012, ACITY.

[30]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..