Analyzing and Specifying Security Requirements in Early Stages of Software Development Life Cycle


  • Elena Simona Coles IT&C Security Master Department of Economic Informatics and Cybernetics The Bucharest University of Economic Studies


Security, Software, Life Cycle, Development


As of lately, more and more studies show that, at a global level, one of the most important causes of economic loss is unauthorized access to informatics resources. For example, a CSI/FBI Computer Crime and Security report from 2006 states that, in the top identified causes for economic loss in the USA, unauthorized access to informatics resources takes second place (Gordon et. al., 2006). Without a doubt, given the accelerated growth of software industry in the present, this need of security should be taken into account in Romania as a top priority. At the moment, in the requirements extraction phase from the software development life cycle, importance is given only to functional requirements. Thus appears the problem of identifying adequate solutions for treating non-functional requirements, where security requirements are included.


Gordon, L., Loeb, M., Lucyshyn, W., and Richardson, R. 2006. Eleventh Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute.

PwC, 2015, The Global State of Information Security Survey 2015

Trustwave Holdings, 2014 Trustwave Global Security Report, May 2014

J.D. Meier, “Web Application Security Engineering,” IEEE Security & Privacy, vol. 4, no. 4, 2006, pp. 16–24.

Tondel, I. A., Jaatun, M. G., & Meland, P. H. (2008). Security requirements for the rest of us: A survey. IEEE Software , 25(1), 20–27. doi:doi:10.1109/MS.2008.19

PwC, Why you should adopt the NIST CyberSecurity Framework, May 2014

Khan, Khaled M. Security-Aware Systems Applications and Software Development Methods, 2012, pp 52 – 69

C.B. Haley et al., “Security Requirements Engineering: A Framework for Representation and Analysis,” to be published in IEEE Trans. Software Eng.

Firesmith G. Donald, Analysing and Specifying Reusable Security Requirements, 2008.

D’Aubeterre, F. Singh, R. and Iyer, L. 2008. A Semantic Approach to Secure Collaborative Inter-Organizational eBusiness Processes (SSCIOBP). Journal of the Association for Information Systems . 11, 6 (2008), 724-735.

Dhillon, G. and J., Backhouse. 2001. Current Directions in IS Security Research: Towards Socio-Organizational Perspectives. Information Systems Journal. 11 (2001), 127-153.

Siponen, M. and Iivari, J. 2006. Six Design Theories for IS Security Policies and Guidelines. Journal of the Association for Information Systems.7, 7 (July 2006), 445-472.

B. Schneier. Attack trees. Dr. Dobb's Journal, 24(12):21{29, 1999.

W. E. Vesely, F. F. Goldberg, N. Roberts, and D. F. Haasl. Fault tree handbook. Technical Report NUREG-0492, U.S. Nuclear Regulatory Commission, January 1981.

C. Phillips and L. P. Swiler. A graph-based system for network-vulnerability analysis. In Proc. of NSPW'98, pages 71{79. ACM, 1998.

J. McDermott and C. Fox. Using abuse case models for security requirements analysis. In Proc of ACSAC'99, page 55. IEEE Computer Society, 1999.

– G. Sindre and L. Opdahl. Eliciting security requirements with misuse cases. Requir. Eng., 10(1):34{44, 2005.

- L. Rstad. An extended misuse case notation: Including vulnerabilities and the insider threat. In The Twelfth Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ'06), 2006.

– F. Braber, I. Hogganvik, M. S. Lund, K. Stolen, and F. Vraalsen. Model-based security analysis in seven steps | a guided tour to the coras method. BT Technology Journal, 25(1):101{117, 2007.

– H. Mouratidis, P. Giorgini, G. Manson, and I. Philp. A natural extension of tropos methodology for modelling security. In Proceedings of the Workshop on Agent-oriented methodologies, at OOPSLA, 2002.

- J. JÄurjens. Umlsec: Extending uml for secure systems development. In Proc of UML'02, pages 412{425. Springer, 2002.

T. Lodderstedt, D. A. Basin, and J. Doser. Secureuml: A uml-based modeling language for model-driven security. In UML '02: Proceedings of the 5th International Conference on The Uni¯ed Modeling Language, pages 426{441, London, UK, 2002. Springer-Verlag




How to Cite

Coles, E. S. (2015). Analyzing and Specifying Security Requirements in Early Stages of Software Development Life Cycle. Journal of Mobile, Embedded and Distributed Systems, 7(2), 87-94. Retrieved from