The Community for Technology Leaders
RSS Icon
Issue No.01 - January/February (2008 vol.25)
pp: 20-27
Martin Gilje Jaatun , Sintef ICT
Per H?kon Meland , Sintef ICT
Information security requirements are important in all software engineering projects, not only to ensure the correct level of security in the end product but also to avoid implementing security solutions that turn out to be a bad fit. This article compares methods for eliciting and describing security requirements in software development projects, from the viewpoint of developers without extensive security skills. As the authors argue, all software projects need a well-balanced amount of security awareness from the beginning. This article is part of a special issue on Security of the Rest of Us.
Software engineering, requirements elicitation, security requirements
Martin Gilje Jaatun, Per H?kon Meland, "Security Requirements for the Rest of Us: A Survey", IEEE Software, vol.25, no. 1, pp. 20-27, January/February 2008, doi:10.1109/MS.2008.19
1. P. Coffee, "Security Onus Is on Developers," eWeek,6 June 2006,,1895,1972593,00.asp .
2. H. Mouratidis, P. Giorgini, and G. Manson, "When Security Meets Software Engineering: A Case of Modeling Secure Information Systems," Information Systems, vol. 30, no. 8, 2005, pp. 609–629.
3. J.D. Meier, "Web Application Security Engineering," IEEE Security &Privacy, vol. 4, no. 4, 2006, pp. 16–24.
4. S. Furnell, "Why Users Cannot Use Security," Computers &Security, vol. 24, no. 4, 2005, pp. 274–279.
5. L.A. Gordon et al., "CSI/FBI Computer Crime and Security Survey," Computer Security Inst., 2006; .
6. J.F. Davis, "The Affordable Application of Formal Methods to Software Engineering," ACM SIGAda Ada Letters, ACM Press, 2005, pp. 57–62.
7. D.G. Firesmith, "Engineering Security Requirements," J. Object Technology, vol. 2, no. 1, 2003, pp. 53–68.
8. C.B. Haley et al., "Security Requirements Engineering: A Framework for Representation and Analysis," to be published in IEEE Trans. Software Eng.; TSE.2007.70754.
9. G. Peterson, "Collaboration in a Secure Development Process Part 1," Information Security Bull., June 2004, pp. 165–172.
10. N.R. Mead, E.D. Houg, and T.R. Stehney, Security Quality Requirements Engineering (SQUARE) Methodology, tech. report CMU/SEI-2005-TR-009, Software Eng. Inst., Carnegie Mellon Univ., 2005.
11. G. Boström et al., "Extending XP Practices to Support Security Requirements Engineering," Proc. 2006 Int'l Workshop Software Eng. for Secure Systems (SESS), ACM Press, 2006, pp. 11–18.
12. P. Torr, "Demystifying the Threat Modeling Process," IEEE Security &Privacy, vol. 3, no. 5, 2005, pp. 66–70.
13. S. Lipner and M. Howard, "The Trustworthy Computing Security Development Lifecycle, Microsoft Corp., 2005; ms995349.aspx.
14. A. Apvrille and M. Pourzandi, "Secure Software Development by Example," IEEE Security &Privacy, vol. 3, no. 4, 2005, pp. 10–17.
15. E.B. Fernandez, "A Methodology for Secure Software Design," paper presented at the Int'l Symp. Web Services and Applications (ISWS), 2004;
16. K.R. van Wyk and G. McGraw, "Bridging the Gap between Software Development and Information Security," IEEE Security &Privacy, vol. 3, no. 5, 2005, pp. 75–79.
17. J.G. Hall, L. Rapanotti, and M. Jackson, "Problem Frame Semantics for Software Development," Software and Systems Modeling, vol. 4, no. 2, 2005, pp. 189–198.
18. G. McGraw, Software Security: Building Security In, Addison-Wesley, 2006.
19. H. Chivers, "Information Modeling for Automated Risk Analysis," Proc. Comm. and Multimedia Security, LNCS 4237, Springer, 2006, pp. 228–239.
20. A. van Lamsweerde, "Elaborating Security Requirements by Construction of Intentional Anti-models," Proc. 26th Int'l Conf. Software Eng. (ICSE 04), IEEE CS Press, 2004, pp. 148–157.
21. G. Sindre and A.L. Opdahl, "Eliciting Security Requirements with Misuse Cases," Requirements Eng., vol. 10, no. 1, 2005, pp. 34–44.
22. J. McDermott and C. Fox, "Using Abuse Case Models for Security Requirements Analysis," Proc. Computer Security Applications Conf., IEEE CS Press, 1999, pp. 55–64.
23. D.G. Firesmith, "Security Use Cases," J. Object Technology, vol. 2, no. 3, 2003, pp. 53–64.
24. L. Røstad, "An Extended Misuse Case Notation: Including Vulnerabilities and the Insider Threat," Proc. 12th Working Conf. Requirements Eng.: Foundation for Software Quality (REFSQ), Essener Informatik Beiträge, 2006, pp. 33–34.
25. J. Peeters, "Agile Security Requirements Engineering," Symp. Requirements Eng. Information Security, 2005; .
26. V. Kongsli, "Towards Agile Security in Web Applications," Proc. ACM SIGPLANInt'l Conf Object-Oriented Programming Systems Languages and Applications (OOPSLA06), ACM Press, 2006, pp. 805–808.
27. B. Schneier, "Attack Trees—Modeling Security Threats," Dr. Dobb's J., Dec. 1999, pp. 21–29.
28. F. Swiderski and W. Snyder, Threat Modeling, Microsoft Professional, 2004.
29. L. Chung and B.A. Nixon, "Dealing with Non-functional Requirements: Three Experimental Studies of a Process-Oriented Approach," Proc. 17th Int'l Conf. Software Eng. (ICSE 95), IEEE CS Press, 1995, pp. 25–37.
30. L. Chung, "Dealing with Security Requirements during the Development of Information Systems," Proc. 5th Int'l Conf. Advanced Information Systems Eng. (CAiSE), LNCS 685, Springer, 1993, pp. 234–251.
31. J. Cleland-Huang et al., "A Goal-Oriented Approach to Identifying and Mitigating Security Risks," Proc. Int'l Symp. Secure Software Eng., IEEE CS Press, 2006, pp. 167–177.
32. J. Mylopoulos, L. Chung, and E. Yu, "From Object-Oriented to Goal-Oriented Requirements Analysis," Comm. ACM, vol. 42, no. 1, 1999, pp. 31–37.
33. D. Verdon, "Security Policies and the Software Developer," IEEE Security &Privacy, vol. 4, no. 4, 2006, pp. 42–49.
267 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool