Abstract
Capturing security requirements is a complex process, but it is crucial to the success of a secure software product. Hence, requirements engineers need to have security knowledge when eliciting and analyzing the security requirements from business requirements. However, the majority of requirements engineers lack such knowledge and skills, and they face difficulties to capture and understand many security terms and issues. This results in capturing inaccurate, inconsistent and incomplete security requirements that in turn may lead to insecure software systems. In this paper, we describe a new approach of capturing security requirements using an extended Essential Use Cases (EUCs) model. This approach enhances the process of capturing and analyzing security requirements to produce accurate and complete requirements. We have evaluated our prototype tool using usability testing and assessment of the quality of our generated EUC security patterns by security engineering experts.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
References
Alam, M.: Software Security Requirements Checklist. International Journal of Software Engineering, IJSE 3(1), 53–62 (2010)
McGraw, G.: Building Security. In: Software Security. IEEE Security and Privacy, pp. 80–83 (2004)
Schneider, K., Knauss, E., Houmb, S., Islam, S., Jürjens, J.: Enhancing security requirements engineering by organizational learning. Requirements Engineering 17(1), 35–56 (2011)
Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: STS-tool: Socio-technical Security Requirements through social commitments. In: Conference on IEEE International Requirements Engineering, pp. 331–332 (2012)
Kamalrudin, M., Hosking, J., Grundy, J.: Improving requirements quality using essential use case interaction patterns. In: Proceeding of the 33rd International Conference on Software Engineering - ICSE 2011, p. 531 (2011)
Elahi, G., Yu, E.: A Semi-automated Decision Support Tool for Requirements Trade-Off Analysis. In: IEEE 35th Annual Computer Software and Applications Conference, pp. 466–475 (2011)
Kamalrudin, M., Grundy, J., Hosking, J.: Tool Support for Essential Use Cases to Better Capture Software Requirements, pp. 327–336 (2010)
Mellado., D., et al.: A systematic review of security requirements engineering. Computer Standards and Interfaces (2010)
Ding, W., Marchionini, G.: A Study on Video Browsing Strategies. Technical Report, University of Maryland (1997)
Fröhlich, B., Plate, J.: The cubic mouse: A new device for three-dimensional input. In: Proceedings of the SIGCHI (2000)
Firesmith, D.: Specifying reusable security requirements. Journal of Object Technology (2004)
Salini, P.: Survey and analysis on Security Requirements Engineering. Journal Computers and Electrical Electrical Engineering, http://linkinghub.elsevier.com/retrieve/pii/S0045790612001644 (accessed October 1, 2012)
Corporation, M.: Simplified Implementation of the SDL. pp. 1–17 (2010)
Wiegers, K.E.: Software Requirements. O’Reilly (2009)
Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for Security Requirements: A Literature Survey and Classification. In: Bajec, M., Eder, J. (eds.) CAiSE Workshops 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012)
Rodríguez, A., Fernández-Medina, E., Piattini, M.: Towards a UML 2.0 extension for the modeling of security requirements in business processes. In: Fischer-Hübner, S., Furnell, S., Lambrinoudakis, C. (eds.) TrustBus 2006. LNCS, vol. 4083, pp. 51–61. Springer, Heidelberg (2006)
Backes, M., Pfitzmann, B., Waidner, M.: Security in Business Process Engineering. In: van der Aalst, W.M.P., Weske, M. (eds.) BPM 2003. LNCS, vol. 2678, pp. 168–183. Springer, Heidelberg (2003)
Herrmann, G., et al.: Viewing Business Process Security from Different Perspectives. In: 11th International Bled Electronic Commerce Conference, Slovenia, pp. 89–103 (1998)
The SANS Institute, Determining the Role of the IA / Security Engineer, InfoSec Reading Room (2010)
Kamalrudin, M.: Automated Support for Consistency Management and Validation of Requirements”. PhD thesis. The University of Auckland (2011)
Myagmar.: Threat Modeling as a Basis for Security Requirements. In: Proceedings of the ACM Workshop on Storage Security and Survivability, pp. 94–102 (2005)
Viega, J.: Building Security Requirements with CLASP. In: Proceedings of the Workshop on Software Engineering for Secure Systems Building Trustworthy Applications, SESS 2005, pp. 1–7 (2010)
Hussein, M., Zulkernine, M.: Intrusion detection aware component-based systems: A specification-based framework. Journal of Systems and Software 80(5), 700–710 (2007)
Du, J., et al.: An Analysis for Understanding Software Security Requirement Methodologies. In: Third IEEE International Conference on Secure Software Integration and Reliability Improvement, pp. 141–149 (2009)
Giorgini, P., et al.: Modeling security requirements through ownership, permission and delegation. In: 13th IEEE International Conference on Requirements Engineering (RE 2005), pp. 167–176 (2005)
Yahya, S., Kamalrudin, M., Sidek, S.: A Review on Tool Supports for Security Requirements Engineering. In: IEEE Conference on Open Systems, Sarawak, Malaysia (2013)
Paja, E., et al.: STS-tool: Socio-technical Security Requirements through social commitments. In: 2012 20th IEEE International Requirements Engineering Conference (RE), pp. 331–332. IEEE (2012)
Pavlidis, M., Islam, S.: SecTro: A CASE Tool for Modelling Security in Requirements Engineering using Secure Tropos. In: Proceedings of the CAiSE forum, CAiSE 2011, pp. 89–96 (2011)
Houmb, S.H., Islam, S., Knauss, E., Jürjens, J., Schneider, K.: Eliciting security requirements and tracing them to design: An integration of Common Criteria, heuristics, and UMLsec. Requirements Engineering 15(1), 63–93 (2010)
Mellado, D., Fernández-medina, E., Piattini, M.: Security Requirements Engineering Process for Software Product Lines: A Case Study and Technologies SREPPLine. pp. 1–6 (2008)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: ST-Tool: A CASE tool for security requirements engineering. In: Proceedings of 13th IEEE International Conference on Requirements Engineering, pp. 451–452 (2005)
Kamalrudin, M., Hosking, J.G., Grundy, J.C.: Improving Requirements Quality using Essential Use Case Interaction Patterns. In: ICSE 2011, Honolulu, Hawaii, USA (2011)
Kaindl, H., Constantine, L., Pastor, O., Sutcliffe, A., Zowghi, D.: How to Combine Requirements Engineering and Interaction Design? In: 16th IEEE International Requirements Engineering, RE 2008, Barcelona, Catalunya, Spain, pp. 299–301 (2008)
Kamalrudin, M., Grundy, J., Hosking, J.: Managing Consistency between Textual Requirements. Abstract Interactions and Essential Use Cases, 327–336 (2010)
Yahya, S., Kamalrudin, M., Sidek, S.: The Use of Essential Use Cases (EUCs) to enhance the Process of Capturing Security Requirements for Accurate Secure Software. In: Proceeding of Software Engineering Postgraduates Workshop, SEPoW (2013)
Kamalrudin, M.: Automated Software Tool Support for Checking the Inconsistency of Requirements. In: 24th IEEE/ACM International Conference on Automated Software Engineering, ASE 2009. IEEE (2009)
Constantine, L.L., Lockwood, A.D.L.: Software for Use: A Practical Guide to the Models and Methods of Usage-Centered Design. ACM Press/Addison Wesley Longman, Inc. (1999)
Develop functional security requirements in Document security-relevant requirements retrieve, https://www.owasp.org/index.php/Document_security-relevant_requirements (accessed July 15, 2013)
Blackwell, A.F., et al.: Cognitive Dimensions of Notations: Design Tools for Cognitive Technology. In: Beynon, M., Nehaniv, C.L., Dautenhahn, K. (eds.) CT 2001. LNCS (LNAI), vol. 2117, pp. 325–341. Springer, Heidelberg (2001)
What is the Common Criteria (CC) in Common Criteria and Mutual Recognition retrieve from, http://www.cybersecurity.my/myc (accessed August 5, 2013)
Biddle, R., Noble, J., Tempero, E.: Essential use cases and responsibility in object-oriented development. In: Proceeding of the Twenty-Fifth Australasian Conference on Computer Science, Melbourne, Victoria, Australia, pp. 7–16. ACM (2002)
Biddle, R., Noble, J., Tempero, E.: Patterns for Essential Use Case Bodies. In: Proceedings of the 2002 Conference on Pattern languages of programs, CRPIT 2002, vol. 13, pp. 85–98. Computer Society, Australian (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yahya, S., Kamalrudin, M., Sidek, S., Grundy, J. (2014). Capturing Security Requirements Using Essential Use Cases (EUCs). In: Zowghi, D., Jin, Z. (eds) Requirements Engineering. Communications in Computer and Information Science, vol 432. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43610-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-662-43610-3_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43609-7
Online ISBN: 978-3-662-43610-3
eBook Packages: Computer ScienceComputer Science (R0)