Using FSM patterns to size security non-functional requirements with COSMIC

Measuring non-functional requirements (NFR) proved to be a non-trivial problem and has been subject to many studies recently. This paper introduces application of Functional Size Measurement (FSM) Patterns to facilitate measurement of NFRs, focusing on security requirements. A Design Science Research methodology was followed to define and demonstrate the usefulness of measurement patterns applied to application security controls (ASC). Examples of how FSM Patterns can be defined for ASC are provided, along with how they are applied during or after the COSMIC measurement of Functional User Requirements (FURs). Results suggest that the magnitude of functional size introduced by a sample set of ASCs through a small case can increase significantly (e.g. over 200%). Defining and applying FSM Patterns turned out to be an effective way of reflecting functional size denoted by security NFRs. The approach also lets such NFRs to be sized before they are actually converted into FURs in the later phases of software development lifecycle, which makes the size of software to be represented more accurate in the early stages of the software development lifecycle. As such, FSM patterns should be an asset in incorporating the functional size stemming from high-level NFRs defined at the start of a project. The scope of this research was limited to security NFRs, and specifically to those security NFRs to be operationalized in the measured software (quasi NFRs). Future work could be extended to other categories of NFRs.

[1]  Jean-Marc Desharnais,et al.  Functional Size Measurement Patterns: A Proposed Approach , 2016, 2016 Joint Conference of the International Workshop on Software Measurement and the International Conference on Software Process and Product Measurement (IWSM-MENSURA).

[2]  Pedro Gregorio,et al.  ANÁLISIS DE VULNERABILIDAD DE UN SISTEMA DE INFORMACIÓN WEB MEDIANTE PRUEBA DE PENETRACIÓN UTILIZANDO LA TÉCNICA OWASP (OPEN WEB APPLICATION SECURITY PROJECT) CON LA FINALIDAD DE COMPROMETER EL ALMACENAMIENTO DE INFORMACIÓN DE LA BASE DE DATOS , 2016 .

[3]  Ursula Faber,et al.  Requirements Engineering A Good Practice Guide , 2016 .

[4]  Alain Abran,et al.  A Standards-Based Model for the Specification of Portability Requirements , 2010, Software Engineering Research and Practice.

[5]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[6]  Dirk Riehle,et al.  Understanding and Using Patterns in Software Development , 1996, Theory Pract. Object Syst..

[7]  Lawrence Chung,et al.  An NFR-Based Framework for Establishing Traceability between Enterprise Architectures and System Architectures , 2006, Seventh ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD'06).

[8]  Alain Abran,et al.  Non-Functional Requirements Size Measurement Method (NFSM) with COSMIC-FFP , 2007, IWSM/Mensura.

[9]  Anne Marsden,et al.  International Organization for Standardization , 2014 .

[10]  Khalid T. Al-Sarayreh,et al.  A REFERENCE MODEL OF SECURITY REQUIREMENTS FOR EARLY IDENTIFICATION AND MEASUREMENT OF SECURITY AWARENESS PROGRAM , 2014 .

[11]  Onur Demirörs,et al.  An Experimental Study on the Reliability of COSMIC Measurement Results , 2009, IWSM/Mensura.

[12]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[13]  Alain Abran,et al.  Measurement Model of Software Requirements Derived from System Maintainability Requirements , 2010, SEKE.

[14]  Onur Demirörs,et al.  A Functional Software Measurement Approach to Bridge the Gap Between Problem and Solution Domains , 2015, IWSM/Mensura.

[15]  Alain Abran,et al.  Functional Size Measurement Quality Challenges for Inexperienced Measurers , 2009, IWSM/Mensura.

[16]  Frank Vogelezang,et al.  Estimation for Mobile and Cloud Environments , 2016 .

[17]  Laurie A. Williams,et al.  Security requirements patterns: understanding the science behind the art of pattern writing , 2012, 2012 Second IEEE International Workshop on Requirements Patterns (RePa).

[18]  Alain Abran,et al.  Measurement of software requirements derived from system reliability requirements , 2010 .

[19]  Harold S. van Heeringen,et al.  Measure the Functional Size of a Mobile App: Using the COSMIC Functional Size Measurement Method , 2014, 2014 Joint Conference of the International Workshop on Software Measurement and the International Conference on Software Process and Product Measurement.

[20]  Khalid T. Al-Sarayreh,et al.  Towards A Requirements Model of System Security Using International Standards , 2015 .

[21]  A. Lesterhuis,et al.  Guideline for Sizing Real-Time Software : The COSMIC Functional Size Measurement Method Version 4.0.1 , 2015 .

[22]  John Mylopoulos,et al.  Representing and Using Nonfunctional Requirements: A Process-Oriented Approach , 1992, IEEE Trans. Software Eng..

[23]  Julio Cesar Sampaio do Prado Leite,et al.  On Non-Functional Requirements in Software Engineering , 2009, Conceptual Modeling: Foundations and Applications.

[24]  Andrew Ryan An Approach To Qunantitative Non-Functional Requirements In Software Development , 2000 .