A Tagging Approach to Extract Security Requirements in Non-Traditional Software Development Processes

2014 ◽  
Vol 5 (4) ◽  
pp. 31-47 ◽  
Author(s):  
Annette Tetmeyer ◽  
Daniel Hein ◽  
Hossein Saiedian
Keyword(s):  
Software Development ◽  
Software Security ◽  
Security Requirements ◽  
Software Systems ◽  
Small Organizations ◽  
Pos Tagging ◽  
Part Of Speech ◽  
Security Requirements Engineering ◽  
Development Processes

While software security has become an expectation, stakeholders often have difficulty expressing such expectations. Elaborate (and expensive) frameworks to identify, analyze, validate and incorporate security requirements for large software systems (and organizations) have been proposed, however, small organizations working within short development lifecycles and minimal resources cannot justify such frameworks and often need a light and practical approach to security requirements engineering that can be easily integrated into their existing development processes. This work presents an approach for eliciting, analyzing, prioritizing and developing security requirements which can be integrated into existing software development lifecycles for small organizations. The approach is based on identifying candidate security goals using part of speech (POS) tagging, categorizing security goals based on canonical security definitions, and understanding the stakeholder goals to develop preliminary security requirements and to prioritize them. It uses a case study to validate the feasibility and effectiveness of the proposed approach.

Meta-Modeling Based Secure Software Development Processes

2014 ◽  
Vol 5 (3) ◽  
pp. 56-74 ◽  
Author(s):  
Mehrez Essafi ◽  
Henda Ben Ghezala
Keyword(s):  
Software Development ◽  
Ad Hoc ◽  
Software Security ◽  
Software Developers ◽  
Secure Software ◽  
Modeling Techniques ◽  
Meta Modeling ◽  
Development Processes ◽  
Secure Software Development

This work suggests a multilevel support to software developers, who often lack knowledge and skills on how to proceed to develop secure software. In fact, developing software with such quality is a hard and complex task that involves many additional security-dedicated activities which are usually omitted in traditional software development lifecycles or integrated but not efficiently and appropriately deployed in some others. To federate all these software security-assurance activities in a structured way and provide the required guidelines for choosing and using them in a flexible development process, authors used meta-modeling techniques and dynamic process execution that consider developer's affinities and product's states. The proposed approach formalizes existing secure software development processes, allows integration of new ones, prevents ad-hoc executions and is supported by a tool to facilitate its deployment. A case study is given here to exemplify the proposed approach application and to illustrate some of its advantages.

A Systematic Review and Catalog of Security Metric during the Secure Software Development Life Cycle

2020 ◽  
Vol 13 ◽  
Author(s):  
Sampada G.C ◽  
Tende Ivo Sake ◽  
Amrita
Keyword(s):  
Systematic Review ◽  
Life Cycle ◽  
Software Development ◽  
Software Security ◽  
Security Assessment ◽  
Security Metrics ◽  
Development Life Cycle ◽  
Development Processes ◽  
Secure Software Development ◽  
Software Development Life Cycle

Background: With the advancement in the field of software development, software poses threats and risks to customers’ data and privacy. Most of these threats are persistent because security is mostly considered as a feature or a non-functional requirement, not taken into account during the software development life cycle (SDLC). Introduction: In order to evaluate the security performance of a software system, it is necessary to integrate the security metrics during the SDLC. The appropriate security metrics adopted for each phase of SDLC aids in defining the security goals and objectives of the software as well as quantify the security in the software. Methods: This paper presents systematic review and catalog of security metrics that can be adopted during the distinguishable phases of SDLC, security metrics for vulnerability and risk assessment reported in the literature for secure development of software. The practices of these metrics enable software security experts to improve the security characteristics of the software being developed. The critical analysis of security metrics of each phase and their comparison are also discussed. Results: Security metrics obtained during the development processes help to improve the confidentiality, integrity, and availability of software. Hence, it is imperative to consider security during the development of the software, which can be done with the use of software security metrics. Conclusion: This paper reviews the various security metrics that are meditated in the copious phases during the progression of the SDLC in order to provide researchers and practitioners with substantial knowledge for adaptation and further security assessment.

Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method

2007 ◽  
pp. 43-69 ◽  
Author(s):  
N. R. Mead
Keyword(s):  
Requirements Engineering ◽  
Systematic Approach ◽  
Promising Method ◽  
Security Requirements ◽  
Software Systems ◽  
Quality Requirements ◽  
Student Teams ◽  
Security Requirements Engineering ◽  
Engineering Institute

In this chapter, we describe general issues in developing security requirements, meth-ods that have been useful, and a method (SQUARE) that can be used for eliciting, analyzing, and documenting security requirements for software systems. SQUARE, which was developed by the CERT Program at Carnegie Mellon University’s Soft-ware Engineering Institute, provides a systematic approach to security requirements engineering. SQUARE has been used on a number of client projects by Carnegie Mellon student teams, prototype tools have been developed, and research is ongoing to improve this promising method.

Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method

2008 ◽  
pp. 943-963
Author(s):  
N. R. Mead
Keyword(s):  
Requirements Engineering ◽  
Systematic Approach ◽  
Promising Method ◽  
Security Requirements ◽  
Software Systems ◽  
Quality Requirements ◽  
Student Teams ◽  
Security Requirements Engineering ◽  
Engineering Institute

In this chapter, we describe general issues in developing security requirements, methods that have been useful, and a method (SQUARE) that can be used for eliciting, analyzing, and documenting security requirements for software systems. SQUARE, which was developed by the CERT Program at Carnegie Mellon University’s Soft-ware Engineering Institute, provides a systematic approach to security requirements engineering. SQUARE has been used on a number of client projects by Carnegie Mellon student teams, prototype tools have been developed, and research is ongoing to improve this promising method.

scholarly journals Software Development Initiatives to Identify and Mitigate Security Threats - Two Systematic Mapping Studies

2016 ◽  
Author(s):  
Paulina Silva ◽  
René Noël ◽  
Santiago Matalonga ◽  
Hernán Astudillo ◽  
Diego Gatica ◽  
...  
Keyword(s):  
Software Development ◽  
Software Security ◽  
The Other ◽  
Software Systems ◽  
Security Threats ◽  
Controlled Experiments ◽  
Systematic Mapping ◽  
Development Lifecycle ◽  
Secure Software ◽  
Software Development Lifecycle

Software Security and development experts have addressed the problem of building secure software systems. There are several processes and initiatives to achieve secure software systems. However, most of these lack empirical evidence of its application and impact in building secure software systems. Two systematic mapping studies (SM) have been conducted to cover the existent initiatives for identification and mitigation of security threats. The SMs created were executed in two steps, first in 2015 July, and complemented through a backward snowballing in 2016 July. Integrated results of these two SM studies show a total of 30 relevant sources were identified; 17 different initiatives covering threats identification and 14 covering the mitigation of threats were found. All the initiatives were associated to at least one activity of the Software Development Lifecycle (SDLC); while 6 showed signs of being applied in industrial settings, only 3 initiatives presented experimental evidence of its results through controlled experiments, some of the other selected studies presented case studies or proposals.

scholarly journals Framework for Testing the Security of Application Software at Design Phase

2019 ◽  
Vol 8 (11) ◽  
pp. 4039-4049
Keyword(s):  
Software Development ◽  
Initial Level ◽  
Software Security ◽  
System Security ◽  
Security Requirements ◽  
Security Level ◽  
Application Software ◽  
Design Phase ◽  
Security Testing ◽  
Security Breaches

Software security testing is essential to reveal the weaknesses in the security of the system. The security level of the software must be assessed properly and timely so that the security breaches can be prevented to occur otherwise they harm the system. Security testing during designing the software will be advantageous to reduce the rework and expenses required if it will be found insecure after the implementation. Security testing can be achieved efficiently through proper framework at the early stages of software development. Security can be checked at the initial level by taking inputs at the requirement phase and design phase so that loopholes can be found and the propagation of vulnerabilities can be prevented. At requirement phase security requirements can be filtered and then at the next phase designing artifacts can be inspected for security errors. A metric is designed which will grade the software under test and state that whether the system is secured at the proper level or not. In this paper a framework is proposed which is based on metric and the validation of the metric is done through the Weyuker’s property.

Sign in / Sign up

Export Citation Format

Share Document