SREPPLine: Towards a Security Requirements Engineering Process for Software Product Lines

Daniel Mellado, Eduardo Fernández-Medina, Mario Piattini

2007

Abstract

Security related requirements are increasingly becoming a significant portion of the total set of requirements for many software systems. At the same time, nowadays many systems are developed based on the product line engineering paradigm. Within product lines, security requirements issues are extremely important because weakness in security can cause problems throughout the lifecycle of a line. The main contribution of this work is that of providing a standard-based process, which is an add-in of activities in the domain engineering as well as in application engineering processes. These processes deal with the security requirements from the early stages of product line lifecycle in a systematic and intuitive way especially adapted for product line based development. It is based on the use of the latest security requirements techniques, together with the integration of the Common Criteria (ISO/IEC 15408) into the product line lifecycle. Additionally, it deals with security artifacts reuse, by providing us with a Security Resources Repository. Moreover, it facilitates the conformance to the most relevant security standards with regard to the management of security requirements.

References

  1. Baskeville, R., The development duality of information systems security. Journal of Management Systems, 1992. 4(1): p. 1-12.
  2. Birk, A., Heller, G., John, I., MaBen, T.v.d., Müller, K., and Schmid, K., Product line engineering industrial nuts and bolts. 2003, Fraunhofer IESE: Kaiserslautern.
  3. Bosh, J., Design & Use of Software Architectures. 2000: Pearson Education Limited.
  4. Clements, P. and Northrop, L., Software Product Lines: Practices and Patterns. SEI Series in Software Engineering. 2002: Addison-Wesley.
  5. Firesmith, D.G., Engineering Security Requirements. Journal of Object Technology, 2003. 2(1): p. 53-68.
  6. Firesmith, D.G., Security Use Cases. Journal of Object Technology, 2003: p. 53-64.
  7. IEEE, IEEE 830: 1998 Recommended Practice for Software Requirements Specifications. 1998.
  8. ISO/IEC, ISO/IEC 21827:2002 Information technology -- Systems Security Engineering -- Capability Maturity Model (SSE-CMM). 2002.
  9. ISO/IEC, ISO/IEC 13335 Information technology - Security techniques - Management of information and comunications technology security - Part 1: Concepts and models for information and comunications technology security management. 2004.
  10. ISO/IEC, ISO/IEC 15408:2005 Information technology - Security techniques - Evaluation criteria for IT security, (Common Criteria v3.0). 2005.
  11. ISO/IEC, ISO/IEC 17799 Information technology - Security techniques - Code of practice for information security management. 2005.
  12. ISO/IEC, ISO/IEC 27001:2005 Information technology -- Security techniques -- Information security management systems -- Requirements. 2005.
  13. Jürjens, J., UMLsec: extending UML for secure systems development. UML 2002 - The Unified Modeling Language. Model Engineering, Languages,Concepts, and Tools. 5th International Conference., 2002. LNCS 2460: p. 412-425.
  14. Käkölä, T. and Dueñas, J.C., Software Product Lines: Research Issues in Engineering and Management. 2006: Springer.
  15. Kang, K., Cohen, S., Hess, J.A., Novak, W.E., and Peterson, S.A., Feature-Oriented Domain Analysis (FODA) Feasibility Study. 1990, Software Engineering Institute, CarnegieMellon University.
  16. Kim, J., Kim, M., and Park, S., Goal and scenario bases domain requirements analysis environment. The Journal of Systems and Software, 79(7) (2005). p. 926 - 938.
  17. Kim., H.-K., Automatic Translation Form Requirements Model into Use Cases Modeling on UML. ICCSA 2005, LNCS, 2005: p. 769-777.
  18. Kotonya, G. and Sommerville, I., Requirements Engineering Process and Techniques. Hardcover ed. 1998, UK: John Willey & Sons. 294.
  19. Kotonya, G. and Sommerville, I., Requirements Engineering Process and Techniques. 2000: John Willey & Sons.
  20. Lee, J., Lee, J., Lee, S., and Choi, B., A CC-based Security Engineering Process Evaluation Model. 27th Annual International Computer Software and Applications Conference (COMPSAC'03), 2003: p. 130-.
  21. López, F., Amutio, M.A., Candau, J., and Mañas, J.A., Methodology for Information Systems Risk Analysis and Management. 2005: Ministry of Public Administration.
  22. McDermott, J. and Fox, C. Using Abuse Case Models for Security Requirements Analysis. in Annual Computer Security Applications Conference. 1999. Phoenix, Arizona.
  23. Mead, N.R. and Stehney, T. Security Quality Requirements Engineering (SQUARE) Methodology. in Software Engineering for Secure Systems (SESS05), ICSE 2005 International Workshop on Requirements for High Assurance Systems. 2005. St. Louis.
  24. Mellado, D., Fernández-Medina, E., and Piattini, M., A Comparative Study of Proposals for Establishing Security Requirements for the Development of Secure Information Systems. The 2006 International Conference on Computational Science and its Applications (ICCSA 2006), Springer LNCS 3982, 2006. 3: p. 1044-1053.
  25. Mellado, D., Fernández-Medina, E., and Piattini, M., A Common Criteria Based Security Requirements Engineering Process for the Development of Secure Information Systems. Computer Standards and Interfaces, 29(2) (2007). p. 244 - 253.
  26. Mellado, D., Rodríguez, M., Fernández-Medina, E., and Piattini, M., Soporte Automatizado a la Ingeniería de Requisitos de Seguridad. X Workshop Iberoamericano de Ingeniería de Requisitos y Ambientes de Software (IDEAS'07), 2007: p. (accepted).
  27. Pohl, K., Böckle, G., and Linden, F.v.d., Software Product Line Engineering. Foundations, Principles and Techniques. 2005, Berlin Heidelberg: Springer.
  28. Popp, G., Jürjens, J., Wimmel, G., and Breu, R., Security-Critical System Development with Extended Use Cases. 2003: 10th Asia-Pacific Software Engineering Conference. p. 478-487.
  29. Schmid, K., Krennrich, K., and Eisenbarth, M., Requirements Management for Product Lines: A Prototype. 2005, Fraunhofer IESE.
  30. Sindre, G. and Opdahl, A.L., Eliciting security requirements with misuse cases. Requirements Engineering 10, 2005. 1: p. 34-44.
  31. Siponen, M.T., Secure-System Design Methods: Evolution and Future Directions. IT Professional, 8(3) (2006). p. 40-44.
  32. Toval, A., Nicolás, J., Moros, B., and García, F., Requirements Reuse for Improving Information Systems Security: A Practitioner's Approach. Requirements Engineering, 6(4) (2002). p. 205-219.
Download


Paper Citation


in Harvard Style

Mellado D., Fernández-Medina E. and Piattini M. (2007). SREPPLine: Towards a Security Requirements Engineering Process for Software Product Lines . In Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007) ISBN 978-972-8865-96-2, pages 220-232. DOI: 10.5220/0002424702200232


in Bibtex Style

@conference{wosis07,
author={Daniel Mellado and Eduardo Fernández-Medina and Mario Piattini},
title={SREPPLine: Towards a Security Requirements Engineering Process for Software Product Lines},
booktitle={Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)},
year={2007},
pages={220-232},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002424702200232},
isbn={978-972-8865-96-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)
TI - SREPPLine: Towards a Security Requirements Engineering Process for Software Product Lines
SN - 978-972-8865-96-2
AU - Mellado D.
AU - Fernández-Medina E.
AU - Piattini M.
PY - 2007
SP - 220
EP - 232
DO - 10.5220/0002424702200232