Analyzing and Specifying Security Requirements in Early Stages of Software Development Life Cycle
Keywords:
Security, Software, Life Cycle, DevelopmentAbstract
As of lately, more and more studies show that, at a global level, one of the most important causes of economic loss is unauthorized access to informatics resources. For example, a CSI/FBI Computer Crime and Security report from 2006 states that, in the top identified causes for economic loss in the USA, unauthorized access to informatics resources takes second place (Gordon et. al., 2006). Without a doubt, given the accelerated growth of software industry in the present, this need of security should be taken into account in Romania as a top priority. At the moment, in the requirements extraction phase from the software development life cycle, importance is given only to functional requirements. Thus appears the problem of identifying adequate solutions for treating non-functional requirements, where security requirements are included.References
Gordon, L., Loeb, M., Lucyshyn, W., and Richardson, R. 2006. Eleventh Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute.
PwC, 2015, The Global State of Information Security Survey 2015
Trustwave Holdings, 2014 Trustwave Global Security Report, May 2014
http://www.pwc.co.uk/assets/pdf/cyber-security-2013-exec-summary.pdf
J.D. Meier, “Web Application Security Engineering,” IEEE Security & Privacy, vol. 4, no. 4, 2006, pp. 16–24.
Tondel, I. A., Jaatun, M. G., & Meland, P. H. (2008). Security requirements for the rest of us: A survey. IEEE Software , 25(1), 20–27. doi:doi:10.1109/MS.2008.19
PwC, Why you should adopt the NIST CyberSecurity Framework, May 2014
Khan, Khaled M. Security-Aware Systems Applications and Software Development Methods, 2012, pp 52 – 69
C.B. Haley et al., “Security Requirements Engineering: A Framework for Representation and Analysis,” to be published in IEEE Trans. Software Eng. http://doi.ieeecomputersociety.org/10.1109/TSE.2007.70754.
Firesmith G. Donald, Analysing and Specifying Reusable Security Requirements, 2008.
D’Aubeterre, F. Singh, R. and Iyer, L. 2008. A Semantic Approach to Secure Collaborative Inter-Organizational eBusiness Processes (SSCIOBP). Journal of the Association for Information Systems . 11, 6 (2008), 724-735.
Dhillon, G. and J., Backhouse. 2001. Current Directions in IS Security Research: Towards Socio-Organizational Perspectives. Information Systems Journal. 11 (2001), 127-153.
Siponen, M. and Iivari, J. 2006. Six Design Theories for IS Security Policies and Guidelines. Journal of the Association for Information Systems.7, 7 (July 2006), 445-472.
B. Schneier. Attack trees. Dr. Dobb's Journal, 24(12):21{29, 1999.
W. E. Vesely, F. F. Goldberg, N. Roberts, and D. F. Haasl. Fault tree handbook. Technical Report NUREG-0492, U.S. Nuclear Regulatory Commission, January 1981.
C. Phillips and L. P. Swiler. A graph-based system for network-vulnerability analysis. In Proc. of NSPW'98, pages 71{79. ACM, 1998.
J. McDermott and C. Fox. Using abuse case models for security requirements analysis. In Proc of ACSAC'99, page 55. IEEE Computer Society, 1999.
– G. Sindre and L. Opdahl. Eliciting security requirements with misuse cases. Requir. Eng., 10(1):34{44, 2005.
- L. Rstad. An extended misuse case notation: Including vulnerabilities and the insider threat. In The Twelfth Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ'06), 2006.
– F. Braber, I. Hogganvik, M. S. Lund, K. Stolen, and F. Vraalsen. Model-based security analysis in seven steps | a guided tour to the coras method. BT Technology Journal, 25(1):101{117, 2007.
– H. Mouratidis, P. Giorgini, G. Manson, and I. Philp. A natural extension of tropos methodology for modelling security. In Proceedings of the Workshop on Agent-oriented methodologies, at OOPSLA, 2002.
- J. JÄurjens. Umlsec: Extending uml for secure systems development. In Proc of UML'02, pages 412{425. Springer, 2002.
T. Lodderstedt, D. A. Basin, and J. Doser. Secureuml: A uml-based modeling language for model-driven security. In UML '02: Proceedings of the 5th International Conference on The Uni¯ed Modeling Language, pages 426{441, London, UK, 2002. Springer-Verlag
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
- The author(s) is responsible for the correctness and legality of the paper content.
- Papers that are copyrighted or published will not be taken into consideration for publication in JMEDS It is the author(s) responsibility to ensure that the paper does not cause any copyright infringements and other problems.
- It is the responsibility of the author(s) to obtain all necessary copyright release permissions for the use of any copyrighted materials in the paper prior to the submission.
- The Author(s) retains the right to reuse any portion of the paper, in future works, including books, lectures and presentations in all media, with the condition that the publication by JMEDS is properly credited and referenced.
JMEDS articles by Journal of Mobile, Embedded and Distributed Systems (JMEDS) is licensed under a Creative Commons Attribution 4.0 International License.
Based on a work at http://jmeds.eu.
Permissions beyond the scope of this license may be available at http://jmeds.eu/index.php/jmeds/about/submissions#copyrightNotice.