Security requirements for the rest of us: A survey

IEEE Software

Volumn 25, Issue 1, 2008, Pages 20-27

  Tondel, Inger Anne ^a   Jaatun, Martin Gilje ^a   Meland, Per Håkon ^a  

^a SINTEF ICT   (Norway)

Author keywords

Requirements elicitation; Security requirements; Software engineering

Indexed keywords

COMPUTER SYSTEM FIREWALLS; DATA PRIVACY; SOFTWARE ENGINEERING;

REQUIREMENTS ELICITATION; SECURITY REQUIREMENTS;

SECURITY OF DATA;

EID: 39449099894     PISSN: 07407459     EISSN: None     Source Type: Journal    
DOI: 10.1109/MS.2008.19     Document Type: Article

References (33)

1. P. Coffee, "Security Onus Is on Developers," eWeek, 6 June 2006, www.eweek.com/article2/0,1895,1972593,00.asp.
2. H. Mouratidis, P. Giorgini, and G. Manson, "When Security Meets Software Engineering: A Case of Modeling Secure Information Systems," Information Systems, vol. 30, no. 8, 2005, pp. 609-629.
3. J.D. Meier, "Web Application Security Engineering," IEEE Security & Privacy, vol. 4, no. 4, 2006, pp. 16-24.
4. S. Furnell, "Why Users Cannot Use Security," Computers & Security vol. 24, no. 4, 2005, pp. 274-279.
5. L.A. Gordon et al., "CSI/FBI Computer Crime and Security Survey," Computer Security Inst., 2006; www.gocsi.com/forms/fbi/ csi_fbi_survey.jhtml.
6. J.F. Davis, "The Affordable Application of Formal Methods to Software Engineering," ACM SIGAda Ada Letters, ACM Press, 2005, pp. 57-62.
7. D.G. Firesmith, "Engineering Security Requirements," J. Object Technology, vol. 2, no. 1, 2003, pp. 53-68.
8. C.B. Haley et al., "Security Requirements Engineering: A Framework for Representation and Analysis," to be published in IEEE Trans. Software Eng.; http://doi.ieeecomputersociety.org/10.1109/ TSE.2007.70754.
9. G. Peterson, "Collaboration in a Secure Development Process Part 1," Information Security Bull., June 2004, pp. 165-172.
10. N.R. Mead, E.D. Houg, and T.R. Stehney, Security Quality Requirements Engineering (SQUARE) Methodology, tech. report CMU/ SEI-2005-TR-009, Software Eng. Inst., Carnegie Mellon Univ., 2005.
11. G. Boström et al., "Extending XP Practices to Support Security Requirements Engineering," Proc. 2006 Int'l Worksbop Software Eng. for Secure Systems (SESS), ACM Press, 2006, pp. 11-18.
12. P. Torr, "Demystifying the Threat Modeling Process," IEEE Security & Privacy, vol. 3, no. 5, 2005, pp. 66-70.
13. S. Lipner and M. Howard, "The Trustworthy Computing Security Development Lifecycle," Microsoft Corp., 2005; http://msdn2.microsoft.com/en-us/library/ms995349.aspx.
14. A. Apvrille and M. Pourzandi, "Secure Software Development by Example," IEEE Security & Privacy, vol. 3, no. 4, 2005, pp. 10-17.
15. E.B. Fernandez, "A Methodology for Secure Software Design," paper presented at the Int'l Symp. Web Services and Applications (ISWS), 2004; www.cse.fau.edu/~ed/EFLVSecSysDes1.pdf.
16. K.R. van Wyk and G. McGraw, "Bridging the Gap between Software Development and Information Security," IEEE Security & Privacy, vol. 3, no. 5, 2005, pp. 75-79.
17. J.G. Hall, L. Rapanotti, and M. Jackson, "Problem Frame Semantics for Software Development," Software and Systems Modeling, vol. 4, no. 2, 2005, pp. 189-198.
18. G. McGraw, Software Security: Building Security In, Addison-Wesley, 2006.
19. H. Chivers, "Information Modeling for Automated Risk Analysis," Proc. Comm. and Multimedia Security, LNCS 4237, Springer, 2006, pp. 228-239.
20. A. van Lamsweerde, "Elaborating Security Requirements by Construction of Intentional Anti-models," Proc. 26th Int'l Conf. Software Eng. (ICSE 04), IEEE CS Press, 2004, pp. 148-157.
21. G. Sindre and A.L. Opdahl, "Eliciting Security Requirements with Misuse Cases," Requirements Eng., vol. 10, no. 1, 2005, pp. 34-44.
22. J. McDermott and C. Fox, "Using Abuse Case Models for Security Requirements Analysis," Proc. Computer Security Applications Conf. IEEE CS Press, 1999, pp. 55-64.
23. D.G. Firesmith, "Security Use Cases," J. Object Technology, vol. 2, no. 3, 2003, pp. 53-64.
24. L. Røstad, "An Extended Misuse Case Notation: Including Vulnerabilities and the Insider Threat," Proc. 12th Working Conf. Requirements Eng.: Foundation for Software Quality (REFSQ), Essener Informatik Beiträge, 2006, pp. 33-34.
25. J. Peeters, "Agile Security Requirements Engineering," Symp. Requirements Eng. Information Security, 2005; www.sreis.org/ SREIS_05_Program/short26_peeters.pdf.
26. V. Kongsli, "Towards Agile Security in Web Applications," Proc. ACM SIGPLAN Int'l Conf Object-Oriented Programming Systems Languages and Applications (OOPSLA 06), ACM Press, 2006, pp. 805-808.
27. B. Schneier, "Attack Trees - Modeling Security Threats," Dr. Dobb's J., Dec. 1999, pp. 21-29.
28. F. Swiderski and W. Snyder, Threat Modeling, Microsoft Professional, 2004.
29. L. Chung and B.A. Nixon, "Dealing with Non-functional Requirements: Three Experimental Studies of a Process-Oriented Approach," Proc. 17th Int'l Conf. Software Eng. (ICSE 95), IEEE CS Press, 1995, pp. 25-37.
30. L. Chung, "Dealing with Security Requirements during the Development of Information Systems," Proc. 5th Int'l Conf. Advanced Information Systems Eng. (CAiSE), LNCS 685, Springer, 1993, pp. 234-251.
31. J. Cleland-Huang et al., "A Goal-Oriented Approach to Identifying and Mitigating Security Risks," Proc. Int'l Symp. Secure Software Eng. IEEE CS Press, 2006, pp. 167-177.
32. J. Mylopoulos, L. Chung, and E. Yu, "From Object-Oriented to Goal-Oriented Requirements Analysis," Comm. ACM, vol. 42, no. 1, 1999, pp. 31-37.
33. D. Verdon, "Security Policies and the Software Developer," IEEE Security & Privacy, vol. 4, no. 4, 2006, pp. 42-49.