A Framework for Security Requirements : Security Requirements Categorization and Misuse Cases / En ram för Säkerhetskrav : Säkerhetskrav kategorisering och missbruk ärenden

Bogale, Helen Yeshiwas, Ahmed, Zohaib

January 2011

Context: Security Requirements engineering is necessary to achieve secure software systems. Many techniques and approaches have been proposed to elicit security requirements in the initial phases of development. With the growing importance of security and immense increase in security breaches over the past few years, researchers and practitioners have been striving to achieve a mature process of coping with security requirements. Much of the activities in this regard are seen in academia but industry still seems to be lacking in giving the required importance to security requirements engineering. That is why, security requirements engineering is still not always considered as a central part of requirements engineering. This study is targeted to bridge this gap between academia and industry in terms of security requirements engineering and to provide a concrete approach to efficiently elicit and specify security requirements. The Misuse case technique is proposed for this purpose. However it lacks in providing guidelines for enabling scalable use. This limitation has been addressed to achieve a mature process of security requirements elicitation. Objectives: In this study, we propose a framework to elicit security requirements early in the software development using misuse case technique. Objective is to make misuse case technique scalable and applicable to the real-world projects. The proposed framework was presented to two representatives from the Swedish Armed Forces (SWAF). The feedback received from the representatives was utilized to refine, update and finalize the framework. Methods: The study involved a systematic review to gain an insight of the academic perspective in the area of study. Document extraction was adopted to observe the industrial trends in the said subject. These were the software requirements specification documents of the real-world systems. Document extraction was supported with informed brainstorming because the study revolved around misuse case technique and informed brainstorming is considered to be the most suitable technique for this purpose. A workshop was conducted with two representatives of Swedish Armed Forces followed by two subsequent asynchronous communication rounds and a facilitated session to get feedback about the proposed solution. This feedback was utilized to refine, update and finalize the proposed solution. Results: The results of the systematic review were organized in tabular forms for a clear understanding and easy analysis. A security requirements categorization was obtained as a result which was finalized after an initial validation with the help of real-world projects. Furthermore, a framework was proposed utilizing this categorization to address the limitations of misuse case technique. The framework was created and refined through workshop and different communication rounds with representatives of SWAF. Their feedback was used as input to further improve the usefulness and usability aspects of the framework. Conclusions: The significance of security requirements engineering is undisputedly accepted both in academia and industry. However, the area is not a subject of practice in industrial projects. The reasons include lack of mature processes as well as expensive and time consuming solutions. Lack of empirical evidences adds to the problems. The conducted study and proposed process of dealing with this issue is considered as a one step forward towards addressing the challenges. / Säkerhet Kravhantering är nödvändigt för att uppnå säkra programvarusystem. Många tekniker och metoder har föreslagits för att framkalla säkerhetskraven i de inledande faserna i utvecklingen. Med den växande betydelsen av säkerhet och enorma ökning av brott mot säkerheten under de senaste åren har forskare och praktiker strävat efter att uppnå en mogen process för att klara säkerhetskraven. Mycket av verksamheten i detta avseende ses i den akademiska världen, men industrin fortfarande tycks saknas i att ge den nödvändiga betydelse för säkerheten kravhantering. Därför är säkerheten kravhantering fortfarande inte alltid som en central del av kravhantering. Denna studie är inriktad att överbrygga denna klyfta mellan akademi och näringsliv när det gäller säkerhet kravhantering och att ge en konkret strategi för att effektivt få fram och specificera säkerhetskrav. Missbruk fallet tekniken föreslås för detta ändamål. Men det saknar i att ge riktlinjer för att möjliggöra skalbar användning. Denna begränsning har åtgärdats för att uppnå en mogen process av säkerhetskrav elicitation. / +46 (0) 735 84 12 97, +46 (0) 760 60 96 55

Misuse Case

Security Requirements

Categorization

Elicitation

Specification

Computer Sciences

Datavetenskap (datalogi)

Software Engineering

Programvaruteknik