research-article

Reusing security requirements using an extended quality model

Authors:
Markus Luckey

University of Paderborn

University of Paderborn
View Profile

,
Andrea Baumann

Universität der Bundeswehr, München

Universität der Bundeswehr, München
View Profile

,
Daniel Méndez

Fernández, TU München

Fernández, TU München
View Profile

,
Stefan Wagner

TU München

TU München
View Profile

SESS '10: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure SystemsMay 2010Pages 1–7https://doi.org/10.1145/1809100.1809101

Published:02 May 2010Publication History

SESS '10: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems

Pages 1–7

ABSTRACT

A reoccurring problem in software engineering constitutes ensuring sufficient completeness of requirements specifications with economically justifiable efforts. Formulating precise quality requirements and especially security requirements is elaborate as they depend on many stakeholders and technological aspects that are often unclear in early project phases. Threats that may have a severe impact on the software product are sometimes not even known. One approach to tackle this situation is reusing quality requirements, because they are to a high degree similar in different software products. The effect can be higher quality while at the same time saving time and budget.

Quality models are a way to explicitly specify quality. Based on activity-based quality models an approach for specifying reusable quality requirements in early project phases is proposed that also allows a direct derivation of suitable quality requirements for new projects. The applicability of this approach and the resulting reuse potential is investigated in a case study, which concentrates on the security requirements of six industrial projects.

References

A. I. Anton and J. B. Earp. Strategies for developing policies and requirements for secure electronic commerce systems. Technical report, North Carolina State University at Raleigh, 2000. Google ScholarDigital Library
V. Basili, P. Donzelli, and S. Asgari. A unified model of dependability: Capturing dependability in context. IEEE Softw., 21(6):19--25, 2004. Google ScholarDigital Library
B. W. Boehm and P. N. Papaccio. Understanding and controlling software costs. IEEE Trans. Softw. Eng., 14(10):1462--1477, October 1988. Google ScholarDigital Library
CCRA. Common criteria for information technology security evaluation, version 3.1. http://www.commoncriteria.org, 2009.Google Scholar
L. M. Cysneiros and J. C. S. do Prado Leite. Nonfunctional Requirements: From Elicitation to Conceptual Models. IEEE Trans. Softw. Eng., 30(5), 2004. Google ScholarDigital Library
F. Deissenboeck, E. Juergens, K. Lochmann, and S. Wagner. Software quality models: Purposes, usage scenarios and requirements. In Proc. 7th International Workshop on Software Quality (WoSQ 09). IEEE Computer Society, 2009. Google ScholarDigital Library
F. Deissenboeck, S. Wagner, M. Pizka, S. Teuchert, and J. F. Girard. An activity-based quality model for maintainability. In Proc. IEEE International Conference on Software Maintenance (ICSM 2007), pages 184--193. IEEE Computer Society, 2007.Google ScholarCross Ref
J. Doerr, D. Kerkow, T. Koenig, T. Olsson, and T. Suzuki. Non-functional requirements in industry -- three case studies adopting an experience-based NFR method. In Proc. 13th International Conference on Requirements Engineering (RE'05), pages 373--382. IEEE Computer Society, 2005. Google ScholarDigital Library
C. Ebert. Dealing with Nonfunctional Requirements in Large Software Systems. Ann. Softw. Eng., 3:367--395, 1997. Google ScholarDigital Library
Federal Office for Information Security (BSI) in Germany. IT-Grundschutz Catalogues. https://www.bsi.bund.de/, 2007.Google Scholar
D. Firesmith. Engineering security requirements. Journal of Object Technology, 2(1):53--68, 2003.Google ScholarCross Ref
M. Glinz. On non-functional requirements. In Proc. 15th IEEE International Requirements Engineering Conference. IEEE Computer Society, 2007.Google ScholarCross Ref
T. Gorschek and C. Wohlin. Requirements abstraction model. Requir. Eng., 11(1):79--101, 2006. Google ScholarDigital Library
C. B. Haley, R. C. Laney, J. D. Moffett, and B. Nuseibeh. Security requirements engineering: A framework for representation and analysis. IEEE Trans. Softw. Eng., 34(1):133--153, 2008. Google ScholarDigital Library
R. Kazman, M. Klein, and P. Clements. ATAM: Method for architecture evaluation. Technical report, CMU/SEI, August 2000.Google Scholar
B. Kitchenham and S. P. Pfleeger. Software quality: The elusive target. IEEE Softw., 13(1):12--21, 1996. Google ScholarDigital Library
D. Mellado, E. Fernandez-Medina, and M. Piattini. A common criteria based security requirements engineering process for the development of secure information systems. Computer Standards & Interfaces, 29(2):244--253, 2007. Google ScholarDigital Library
D. Mellado, E. F. Medina, and M. Piattini. Security requirements variability for software product lines. In Proc. Third International Conference on Availability, Reliability and Security (ARES '08), pages 1413--1420. IEEE Computer Society, 2008. Google ScholarDigital Library
J. Mylopoulos, L. Chung, and B. Nixon. Representing and using nonfunctional requirements: A process-oriented approach. IEEE Trans. Softw. Eng., 18(6):483--497, 1992. Google ScholarDigital Library
G. Sindre, D. G. Firesmith, and A. L. Opdahl. A reuse-based approach to determining security requirements. In Proc. 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'03), pages 16--17, 2003.Google Scholar
I. Sommerville. Software Engineering (6th Edition). Addison Wesley, August 2000. Google ScholarDigital Library
S. Wagner, F. Deissenboeck, and S. Winter. Managing quality requirements using activity-based quality models. In Proc. 6th Intern. Workshop on Software Quality (WoSQ '08), pages 29--34. ACM Press, 2008. Google ScholarDigital Library
S. Wagner, D. Mendez Fernandez, S. Islam, and K. Lochmann. A security requirements approach for web systems. In Workshop Quality Assessment in Web (QAW 2009). 2009.Google Scholar

Index Terms

Reusing security requirements using an extended quality model
1. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Requirements analysis
    2. Software development techniques
      1. Reusability

Recommendations

Collecting Quality Requirements Using Quality Models and Goals
QUATIC '10: Proceedings of the 2010 Seventh International Conference on the Quality of Information and Communications Technology

Determining the quality of a software product basically deals with checking the fulfillment of functional and quality requirements. Therefore, specifying useful and testable quality requirements is a central challenge. Many existing approaches focus on ...
Read More
A Case Study on Specifying Quality Requirements Using a Quality Model
APSEC '12: Proceedings of the 2012 19th Asia-Pacific Software Engineering Conference - Volume 01

Quality requirements are an often neglected part of requirements engineering. If specified at all, they tend to be either too abstract or very technical and without a rationale. In this paper, we evaluate a quality requirements approach, which makes use ...
Read More
Quality Assessment Technique for Enterprise Information-management System Software
ICEIS 2014: Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2

The paper represents an overview of existing methods and standards used for the quality assessment of computer software. Quality model, quality requirements and recommendations for the evaluation of software product quality are defined in standards, but ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SESS '10: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems
May 2010
83 pages
ISBN:9781605589657
DOI:10.1145/1809100
General Chairs:
Seok-Won Lee
University of North Carolina at Charlotte
,
Mattia Monga
Università degli Studi di Milano, Italy
,
Jan Jürjens
Technical University Dortmund, Germany
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 May 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
quality model
quality requirement
reuse
security
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate8of11submissions,73%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 15
  Total Citations
  View Citations
- 319
  Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Reusing security requirements using an extended quality model

SESS '10: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Collecting Quality Requirements Using Quality Models and Goals

A Case Study on Specifying Quality Requirements Using a Quality Model

Quality Assessment Technique for Enterprise Information-management System Software