tailieunhanh - Capturing security requirements for software systems

Security is often an afterthought during software development. Realizing security early, especially in the requirement phase, is important so that security problems can be tackled early enough before going further in the process and avoid rework. A more effective approach for security requirement engineering is needed to provide a more systematic way for eliciting adequate security requirements. This paper proposes a methodology for security requirement elicitation based on problem frames. The methodology aims at early integration of security with software development. The main goal of the methodology is to assist developers elicit adequate security requirements in a more systematic way during the requirement engineering process. A security catalog, based on the problem frames, is constructed in order to help identifying security requirements with the aid of previous security knowledge. Abuse frames are used to model threats while security problem frames are used to model security requirements. We have made use of evaluation criteria to evaluate the resulting security requirements concentrating on conflicts identification among requirements. We have shown that more complete security requirements can be elicited by such methodology in addition to the assistance offered to developers to elicit security requirements in a more systematic way. | Journal of Advanced Research 2014 5 463-472 Cairo University Journal of Advanced Research ORIGINAL ARTICLE Capturing security requirements for software CrossMark systems Hassan El-Hadary Sherif El-Kassas Department of Computer Science Engineering The American University in Cairo Egypt ARTICLE INFO ABSTRACT Article history Received 6 October 2013 Received in revised form 1 March 2014 Accepted 3 March 2014 Available online 12 March 2014 Keywords Application security Security requirements engineering Security threat modeling Problem frames Security is often an afterthought during software development. Realizing security early especially in the requirement phase is important so that security problems can be tackled early enough before going further in the process and avoid rework. A more effective approach for security requirement engineering is needed to provide a more systematic way for eliciting adequate security requirements. This paper proposes a methodology for security requirement elicitation based on problem frames. The methodology aims at early integration of security with software development. The main goal of the methodology is to assist developers elicit adequate security requirements in a more systematic way during the requirement engineering process. A security catalog based on the problem frames is constructed in order to help identifying security requirements with the aid of previous security knowledge. Abuse frames are used to model threats while security problem frames are used to model security requirements. We have made use of evaluation criteria to evaluate the resulting security requirements concentrating on conflicts identification among requirements. We have shown that more complete security requirements can be elicited by such methodology in addition to the assistance offered to developers to elicit security requirements in a more systematic way. 2014 Production and hosting by Elsevier . on behalf of Cairo University. Introduction During the