Abstract
Successful, quality software projects need to be able to rely on a sufficient level of security in order to manage the technical, legal and business risks that arise from distributed development. The definition of a ‘sufficient’ level of security however, is typically only captured in implicit requirements that are rarely gathered in a methodological way. Such an unstructured approach makes the work of quality managers incredibly difficult and often forces developers to unwillingly operate in an unclear/undefined security state throughout the project. Ideally, security requirements are elicited in methodological manner enabling a structured storage, retrieval, or checking of requirements. In this paper we report on the experiences of applying a structured requirements elicitation method and list a set of gathered reference security requirements. The reported experiences were gathered in an industrial setting using the open source platform OpenCIT in cooperation with industry partners. The output of this work enables security and quality conscious stakeholders in a software project to draw from our experiences and evaluate against a reference base line.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Biffl, S., Mordinyi, R., Moser, T.: Automated Derivation of Configurations for the Integration of Software(+) Engineering Environments. Paper presented at the 1st International Workshop on Automated Configuration and Tailoring of Applications, ACoTA 2010 (2010)
Fruehwirth, C., Biffl, S., Tabatabai, M., Weippl, E.: Addressing misalignment between information security metrics and business-driven security objectives. Paper presented at the Proceedings of the 6th International Workshop on Security Measurements and Metrics, Bolzano, Italy (2010)
Frühwirth, C., Biffl, S., Schatten, A., Schrittwieser, S., Weippl, E., Sunindyo, W.: Research Challenges in the Security Design and Evaluation of an Engineering Service Bus Platform. Paper presented at the 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), Lille, France (2010)
Frühwirth, C., Mordinyi, R., Biffl, S.: Systematic Definition of Security Requirements by means of Misuse Cases in Multi-Engineering Domains, Christian Doppler Laboratory, Vienna University of Technology (2011), http://cdl.ifs.tuwien.ac.at/techrep/icgse
Harris, S.: CISSP All-in-One Exam Guide. McGraw-Hill (2008)
Herbsleb, J.D.: Global Software Engineering: The Future of Socio-technical Coordination. Paper presented at the 2007 Future of Software Engineering (2007)
Kang, M.H., Park, J.S., Froscher, J.N.: Access control mechanisms for inter-organizational workflow. Paper presented at the Proceedings of the sixth ACM Symposium on Access Control Models and Technologies, Chantilly, Virginia, United States (2001)
Keblawi, F., Sullivan, D.: Applying the Common Criteria in Systems Engineering. IEEE Security and Privacy 4(2), 50–55 (2006), doi:10.1109/msp.2006.35
Long, D.L., Baker, J., Fung, F.: A prototype secure workflow server. In: Proceedings of 15th Annual Computer Security Applications Conference (ACSAC 1999), pp. 129–133 (1999)
Mellado, D., Fern, E., Medina, N., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput Stand Interfaces 29(2), 244–253 (2007), doi:10.1016/j.csi.2006.04.002
Mordinyi, R., Moser, T., Biffl, S., Dhungana, D.: Flexible Support for Adaptable Software and Systems Engineering Processes. Paper presented at the Proceedings of the 23rd International Conference on Software Engineering and Knowledge Engineering (SEKE 2011), USA (2011)
Moser, T., Biffl, S.: Semantic Tool Interoperability for Engineering Manufacturing Systems. Paper presented at the 15th IEEE International Conference on Emerging Techonologies and Factory Automation (ETFA 2010) (2010)
Moser, T., Mordinyi, R., Sunindyo, W.D., Biffl, S.: Semantic Service Matchmaking in the ATM Domain Considering Infrastructure Capability Constraints. In: Du, W., Ensan, F. (eds.) Canadian Semantic Web: Technologies and Applications, pp. 133–157. Springer, Heidelberg (2010)
Mut-Puigserver, M., Payeras-Capellà, M.M., Ferrer-Gomila, J.L., Huguet-Rotger, L.: Replay Attack in a Fair Exchange Protocol. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 174–187. Springer, Heidelberg (2008)
Systems Security Engineers - Capability Maturity Model, http://www.sse-cmm.org/index.html
Tondel, I.A., Jaatun, M.G., Meland, P.H.: Security Requirements for the Rest of Us: A Survey. IEEE Softw. 25(1), 20–27 (2008), doi:10.1109/ms.2008.19
Zimmermann, H.: OSI reference model\—The ISO model of architecture for open systems interconnection. In: Innovations in Internetworking, pp. 2–9. Artech House, Inc. (1988)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Frühwirth, C., Mordinyi, R. (2012). Quality Needs Structure: Industrial Experiences in Systematically Defining Software Security Requirements. In: Biffl, S., Winkler, D., Bergsmann, J. (eds) Software Quality. Process Automation in Software Development. SWQD 2012. Lecture Notes in Business Information Processing, vol 94. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27213-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-27213-4_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27212-7
Online ISBN: 978-3-642-27213-4
eBook Packages: Computer ScienceComputer Science (R0)