Skip to main content
SpringerLink
Log in
Book cover

Requirements Engineering pp 16–30Cite as

Capturing Security Requirements Using Essential Use Cases (EUCs)

  • Conference paper

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 432))

Abstract

Capturing security requirements is a complex process, but it is crucial to the success of a secure software product. Hence, requirements engineers need to have security knowledge when eliciting and analyzing the security requirements from business requirements. However, the majority of requirements engineers lack such knowledge and skills, and they face difficulties to capture and understand many security terms and issues. This results in capturing inaccurate, inconsistent and incomplete security requirements that in turn may lead to insecure software systems. In this paper, we describe a new approach of capturing security requirements using an extended Essential Use Cases (EUCs) model. This approach enhances the process of capturing and analyzing security requirements to produce accurate and complete requirements. We have evaluated our prototype tool using usability testing and assessment of the quality of our generated EUC security patterns by security engineering experts.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alam, M.: Software Security Requirements Checklist. International Journal of Software Engineering, IJSE 3(1), 53–62 (2010)

    MathSciNet  Google Scholar 

  2. McGraw, G.: Building Security. In: Software Security. IEEE Security and Privacy, pp. 80–83 (2004)

    Google Scholar 

  3. Schneider, K., Knauss, E., Houmb, S., Islam, S., Jürjens, J.: Enhancing security requirements engineering by organizational learning. Requirements Engineering 17(1), 35–56 (2011)

    Article  Google Scholar 

  4. Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: STS-tool: Socio-technical Security Requirements through social commitments. In: Conference on IEEE International Requirements Engineering, pp. 331–332 (2012)

    Google Scholar 

  5. Kamalrudin, M., Hosking, J., Grundy, J.: Improving requirements quality using essential use case interaction patterns. In: Proceeding of the 33rd International Conference on Software Engineering - ICSE 2011, p. 531 (2011)

    Google Scholar 

  6. Elahi, G., Yu, E.: A Semi-automated Decision Support Tool for Requirements Trade-Off Analysis. In: IEEE 35th Annual Computer Software and Applications Conference, pp. 466–475 (2011)

    Google Scholar 

  7. Kamalrudin, M., Grundy, J., Hosking, J.: Tool Support for Essential Use Cases to Better Capture Software Requirements, pp. 327–336 (2010)

    Google Scholar 

  8. Mellado., D., et al.: A systematic review of security requirements engineering. Computer Standards and Interfaces (2010)

    Google Scholar 

  9. Ding, W., Marchionini, G.: A Study on Video Browsing Strategies. Technical Report, University of Maryland (1997)

    Google Scholar 

  10. Fröhlich, B., Plate, J.: The cubic mouse: A new device for three-dimensional input. In: Proceedings of the SIGCHI (2000)

    Google Scholar 

  11. Firesmith, D.: Specifying reusable security requirements. Journal of Object Technology (2004)

    Google Scholar 

  12. Salini, P.: Survey and analysis on Security Requirements Engineering. Journal Computers and Electrical Electrical Engineering, http://linkinghub.elsevier.com/retrieve/pii/S0045790612001644 (accessed October 1, 2012)

  13. Corporation, M.: Simplified Implementation of the SDL. pp. 1–17 (2010)

    Google Scholar 

  14. Wiegers, K.E.: Software Requirements. O’Reilly (2009)

    Google Scholar 

  15. Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for Security Requirements: A Literature Survey and Classification. In: Bajec, M., Eder, J. (eds.) CAiSE Workshops 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  16. Rodríguez, A., Fernández-Medina, E., Piattini, M.: Towards a UML 2.0 extension for the modeling of security requirements in business processes. In: Fischer-Hübner, S., Furnell, S., Lambrinoudakis, C. (eds.) TrustBus 2006. LNCS, vol. 4083, pp. 51–61. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  17. Backes, M., Pfitzmann, B., Waidner, M.: Security in Business Process Engineering. In: van der Aalst, W.M.P., Weske, M. (eds.) BPM 2003. LNCS, vol. 2678, pp. 168–183. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  18. Herrmann, G., et al.: Viewing Business Process Security from Different Perspectives. In: 11th International Bled Electronic Commerce Conference, Slovenia, pp. 89–103 (1998)

    Google Scholar 

  19. The SANS Institute, Determining the Role of the IA / Security Engineer, InfoSec Reading Room (2010)

    Google Scholar 

  20. Kamalrudin, M.: Automated Support for Consistency Management and Validation of Requirements”. PhD thesis. The University of Auckland (2011)

    Google Scholar 

  21. Myagmar.: Threat Modeling as a Basis for Security Requirements. In: Proceedings of the ACM Workshop on Storage Security and Survivability, pp. 94–102 (2005)

    Google Scholar 

  22. Viega, J.: Building Security Requirements with CLASP. In: Proceedings of the Workshop on Software Engineering for Secure Systems Building Trustworthy Applications, SESS 2005, pp. 1–7 (2010)

    Google Scholar 

  23. Hussein, M., Zulkernine, M.: Intrusion detection aware component-based systems: A specification-based framework. Journal of Systems and Software 80(5), 700–710 (2007)

    Article  Google Scholar 

  24. Du, J., et al.: An Analysis for Understanding Software Security Requirement Methodologies. In: Third IEEE International Conference on Secure Software Integration and Reliability Improvement, pp. 141–149 (2009)

    Google Scholar 

  25. Giorgini, P., et al.: Modeling security requirements through ownership, permission and delegation. In: 13th IEEE International Conference on Requirements Engineering (RE 2005), pp. 167–176 (2005)

    Google Scholar 

  26. Yahya, S., Kamalrudin, M., Sidek, S.: A Review on Tool Supports for Security Requirements Engineering. In: IEEE Conference on Open Systems, Sarawak, Malaysia (2013)

    Google Scholar 

  27. Paja, E., et al.: STS-tool: Socio-technical Security Requirements through social commitments. In: 2012 20th IEEE International Requirements Engineering Conference (RE), pp. 331–332. IEEE (2012)

    Google Scholar 

  28. Pavlidis, M., Islam, S.: SecTro: A CASE Tool for Modelling Security in Requirements Engineering using Secure Tropos. In: Proceedings of the CAiSE forum, CAiSE 2011, pp. 89–96 (2011)

    Google Scholar 

  29. Houmb, S.H., Islam, S., Knauss, E., Jürjens, J., Schneider, K.: Eliciting security requirements and tracing them to design: An integration of Common Criteria, heuristics, and UMLsec. Requirements Engineering 15(1), 63–93 (2010)

    Article  Google Scholar 

  30. Mellado, D., Fernández-medina, E., Piattini, M.: Security Requirements Engineering Process for Software Product Lines: A Case Study and Technologies SREPPLine. pp. 1–6 (2008)

    Google Scholar 

  31. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: ST-Tool: A CASE tool for security requirements engineering. In: Proceedings of 13th IEEE International Conference on Requirements Engineering, pp. 451–452 (2005)

    Google Scholar 

  32. Kamalrudin, M., Hosking, J.G., Grundy, J.C.: Improving Requirements Quality using Essential Use Case Interaction Patterns. In: ICSE 2011, Honolulu, Hawaii, USA (2011)

    Google Scholar 

  33. Kaindl, H., Constantine, L., Pastor, O., Sutcliffe, A., Zowghi, D.: How to Combine Requirements Engineering and Interaction Design? In: 16th IEEE International Requirements Engineering, RE 2008, Barcelona, Catalunya, Spain, pp. 299–301 (2008)

    Google Scholar 

  34. Kamalrudin, M., Grundy, J., Hosking, J.: Managing Consistency between Textual Requirements. Abstract Interactions and Essential Use Cases, 327–336 (2010)

    Google Scholar 

  35. Yahya, S., Kamalrudin, M., Sidek, S.: The Use of Essential Use Cases (EUCs) to enhance the Process of Capturing Security Requirements for Accurate Secure Software. In: Proceeding of Software Engineering Postgraduates Workshop, SEPoW (2013)

    Google Scholar 

  36. Kamalrudin, M.: Automated Software Tool Support for Checking the Inconsistency of Requirements. In: 24th IEEE/ACM International Conference on Automated Software Engineering, ASE 2009. IEEE (2009)

    Google Scholar 

  37. Constantine, L.L., Lockwood, A.D.L.: Software for Use: A Practical Guide to the Models and Methods of Usage-Centered Design. ACM Press/Addison Wesley Longman, Inc. (1999)

    Google Scholar 

  38. Develop functional security requirements in Document security-relevant requirements retrieve, https://www.owasp.org/index.php/Document_security-relevant_requirements (accessed July 15, 2013)

  39. Blackwell, A.F., et al.: Cognitive Dimensions of Notations: Design Tools for Cognitive Technology. In: Beynon, M., Nehaniv, C.L., Dautenhahn, K. (eds.) CT 2001. LNCS (LNAI), vol. 2117, pp. 325–341. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  40. What is the Common Criteria (CC) in Common Criteria and Mutual Recognition retrieve from, http://www.cybersecurity.my/myc (accessed August 5, 2013)

  41. Biddle, R., Noble, J., Tempero, E.: Essential use cases and responsibility in object-oriented development. In: Proceeding of the Twenty-Fifth Australasian Conference on Computer Science, Melbourne, Victoria, Australia, pp. 7–16. ACM (2002)

    Google Scholar 

  42. Biddle, R., Noble, J., Tempero, E.: Patterns for Essential Use Case Bodies. In: Proceedings of the 2002 Conference on Pattern languages of programs, CRPIT 2002, vol. 13, pp. 85–98. Computer Society, Australian (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Innovative Software System and Services Group, Universiti Teknikal Malaysia Melaka, Malaysia

    Syazwani Yahya, Massila Kamalrudin & Safiah Sidek

  2. Faculty of Science, Engineering and Technology, Swinburne University of Technology Melbourne, Australia

    John Grundy

Authors
  1. Syazwani Yahya
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Massila Kamalrudin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Safiah Sidek
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. John Grundy
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Research Center for Human Centered Technology Design, Faculty of Engineering and Information Technology, University of Technology Sydney, Australia

    Didar Zowghi

  2. Key Laboratory of High Confidence Software Technologies (MoE), Peking University, Ministry of Education, 100871, Beijing, P.R. China

    Zhi Jin

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Yahya, S., Kamalrudin, M., Sidek, S., Grundy, J. (2014). Capturing Security Requirements Using Essential Use Cases (EUCs). In: Zowghi, D., Jin, Z. (eds) Requirements Engineering. Communications in Computer and Information Science, vol 432. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43610-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-43610-3_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-43609-7

  • Online ISBN: 978-3-662-43610-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation