tailieunhanh - A comprehensive approach to security requirements engineering

This research aims to define an approach as comprehensive as possible, incorporating the strengths and best practices found in existing approaches, and filling the gaps between them. To achieve that, relevant literature reviews were studied and primary approaches were compared to find their common and divergent traits. To guarantee comprehensiveness, a documented comparison process was followed. | International Journal of Computer Networks and Communications Security VOL. 4, NO. 10, OCTOBER 2016, 294–303 Available online at: E-ISSN 2308-9830 (Online) / ISSN 2410-0595 (Print) A Comprehensive Approach to Security Requirements Engineering Ilham Maskani1, Jaouad Boutahar2 and Souhail Elghazi3 1 LISER Laboratory, ENSEM, Hassan II University, Casablanca, Morocco 2, 3 Systems, architectures and networks Team, EHTP, Casablanca, Morocco 1 , , 3elghazis@ ABSTRACT Software’s security depends greatly on how a system was designed, so it’s very important to capture security requirements at the requirements engineering phase. Previous research proposes different approaches, but each is looking at the same problem from a different perspective such as the user, the threat, or the goal perspective. This creates huge gaps between them in terms of the used terminology and the steps followed to obtain security requirements. This research aims to define an approach as comprehensive as possible, incorporating the strengths and best practices found in existing approaches, and filling the gaps between them. To achieve that, relevant literature reviews were studied and primary approaches were compared to find their common and divergent traits. To guarantee comprehensiveness, a documented comparison process was followed. The outline of our approach was derived from this comparison. As a result, our approach reconciles different perspectives to security requirements engineering by including: the identification of stakeholders, asset and goals, and tracing them later to the elicited requirements, performing risk assessment in conformity with standards and performing requirements validation. It also includes the use of modeling artifacts to describe threats, risks or requirements, and defines a common terminology. Keywords: Security Requirements, Requirements Engineering, Security Standards, Comparison, .

• An ninh - Bảo mật
• International Journal of Computer Networks and Communications Security
• A comprehensive approach to security requirements engineering
• Incorporating the strengths
• Best practices found