Jose Romero-Mariona
ABSTRACT
Security has become a primary and prevalent concern for software systems. The past decade has witnessed a tremendous increase in not only the sheer number of attacks but also the ease with which attacks can be performed on systems. In this paper we exemplify the usage of a novel technique for developing security requirements, by demonstrating each step in the technique when applied to an example usage scenario. Furthermore, this new technique also provides support for deriving testing artifacts from the specified security requirements. We believe that in order to protect a system against harm (intended or not), attention must be given to its requirements. Similar to other system properties and quality attributes, security must be considered at the requirements.
- Romero-Mariona, J., Ziv, H., Richardson, D.: Security Requirements Engineering: A Survey. Technical Report UCI-ISR-08-2. University of California, Irvine. 2008Google Scholar
- Hassan, R., Bohner, S., El-Kassas, S.: Formal Derivation of Security Design Specifications from Security Requirements. Workshop on Cyber security and information intelligence research. 2008 Google ScholarDigital Library
- Redwine, S. et al.: Processes to Produce Secure Software: Towards More Secure Software. National Cyber Security Summit. 2004Google Scholar
- Chivers, H. and Fletcher, M.: Applying Security Design Analysis to a service based system. Software: Practice and Experience, vol. 35 no. 9. 2005 Google ScholarDigital Library
- ISO/IEC.: Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 1: Introduction and General Model. ISO/IEC. International Standard 15408-1. 1999Google Scholar
- Allen, J.: Governing for Enterprise Security. Technical Note CMU/SEI-2005-TN-023. 2005Google Scholar
- Viega, J.: Building Security Requirements with CLASP. Proceedings of the Workshop on Software Engineering for Secure Systems (SESS). 2005 Google ScholarDigital Library
- Hallberg, N., Hallberg, J.: The Usage-Centric Security Requirements Engineering (USeR) Method. Information Assurance Workshop. 2006Google Scholar
- Jacobson, I. et al.: Object-Oriented Software Engineering: A Use Case Driven Approach. Addison-Wesley. 1992 Google ScholarDigital Library
Index Terms
- Towards usable cyber security requirements
Recommendations
Secure and Usable Requirements Engineering
ASE '09: Proceedings of the 24th IEEE/ACM International Conference on Automated Software EngineeringSoftware security is an increasingly important aspect of computing; however, it is still addressed as an after thought in too many development efforts. While a variety of approaches have been proposed for security requirements engineering, we find many ...
Later stages support for security requirements
TAPIA '09: The Fifth Richard Tapia Celebration of Diversity in Computing Conference: Intellect, Initiatives, Insight, and InnovationsSoftware security concerns are frequent, widespread, and with potentially harmful consequences. We believe that security concerns should not only be specified as part of software requirements, but should also be supported during later stages of ...
Government regulations in cyber security: Framework, standards and recommendations
AbstractCyber security refers to the protection of Internet-connected systems, such as hardware, software as well as data (information) from cyber attacks (adversaries). A cyber security regulation is needed in order to protect information ...
Highlights- We list and discuss the cyber attacks, security requirements and measures. We then discuss the cyber security incident management framework and its various ...
Reviews
R. Waldo Roth
This is an excellent, well-written, and constructive paper that deals with the requirements phase of any new project. Romero-Mariona et al. use information from one of their previous studies: a preliminary investigation of 30 security requirements engineering (SRE) approaches, 12 of which they examined in great detail [1]. The authors introduce a secure and usable requirements engineering (SURE) approach that consists of three parts: "a checklist of 30 possible steps that may be needed in an individual security development project based on individual requirements"; a three-step refinement of these 30 possible steps, which they illustrate very nicely in the paper; and use cases, which the authors cleverly title "Misuse Cases," as they are viewed from the standpoint of an attacker. A final process derives test cases, which the authors contend project correctly from the security requirements of the system. This descriptive model is concise and effectively illustrated. It will be a great starting point for developing new system security software, for someone with a systems background. It will also be useful in a security course for middle- or upper-level undergraduate students. The paper includes an example of a requirements for online banking system (ROBS), which is somewhat helpful, although the example is limited in its development and could have been expanded further. Also, an encouraging result, at the time of publication, is that 70 percent of this project is now a Web-based application; of course, 100 percent completion would obviously be better. Useful diagrams help illustrate the concepts being proposed and described. In fact, the PowerPoint-quality slides at the end of the paper are both helpful in understanding the paper's content and useful for a classroom setting. The authors use a hypothetical developer that seems a bit trite and is not helpful in the presentation of the material. The test cases lack a sufficient number of illustrations. Finally, while the bibliography and citations are not complete and thorough, they do make for a good starting point. In summary, this is a useful presentation for those who want a fresh start in reviewing the development of requirements for almost any new security system. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments