A systematic review of security requirements engineering

Computer Standards and Interfaces

Volumn 32, Issue 4, 2010, Pages 153-165

  Mellado, Daniel ^a   Blanco, Carlos ^b   Sánchez, Luis E ^c   Fernández Medina, Eduardo ^b  

^a Spanish Tax Agency Madrid ^*  (Spain)

^b UNIVERSITY OF CASTILLA LA MANCHA   (Spain)

^c SICAMAN Nuevas Tecnologias   (Spain)

Author keywords

Requirements engineering; Secure development; Security; Security engineering; Security requirements; Security requirements engineering; Systematic review

Indexed keywords

RESEARCH ACTIVITIES; SECURE SOFTWARE; SECURITY ENGINEERING; SECURITY REQUIREMENTS; SECURITY REQUIREMENTS ENGINEERING; SOFTWARE DEVELOPMENT PROCESS; SYSTEMATIC REVIEW;

COMPUTER SOFTWARE; REQUIREMENTS ENGINEERING; SECURITY SYSTEMS;

ENGINEERING;

EID: 77950516969     PISSN: 09205489     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.csi.2010.01.006     Document Type: Review

References (75)

1. Walton J.P. Developing a enterprise information security policy. ACM Press: Proceedings of the 30th annual ACM SIGUCCS conference on User services (2002)
2. Choo, K.-K.R., R.G. Smith, and R. McCusker, Future directions in technology-enabled crime: 2007-09, in Research and Public Policy Series, Australian_Government, Editor. 2007, Australian Institute of Criminology
3. Zulkernine M., and Ahamed S.I. Software security engineering: toward unifying software engineering and security engineering. In: Warkentin M., and Vaughn R.B. (Eds). Enterprise Information Systems Assurance and System Security (2006), Idea Group Publishing
4. Konrad, S., B.H.C. Chengy, L.A. Campbell, and R. Wassermann, Using Security Patterns to Model and Analyze Security Requirements, in High Assurance Systems Workshop (RHAS 03) as part of the IEEE Joint International Conference on Requirements Engineering (RE 03): Monterey Bay, CA (USA).
5. Viega J., Secure Software Inc, and McClean V.A. Building security requirements with CLASP. Proceedings of the 2005 workshop on Software engineering for secure systems-building trustworthy applications (2005) 1-7
6. Firesmith D.G. Specifying reusable security requirements. Journal of Object Technology (2004) 61-75
7. Kim J., Kim M., and Park S. Goal and scenario bases domain requirements analysis environment. The Journal of Systems and Software (2005) 926-938
8. Kotonya G., and Sommerville I. Requirements engineering process and techniques. Hardcover ed. 294 (1998), John Willey & Sons, UK
9. McDermott J., and Fox C. Using abuse case models for security requirements analysis. Annual Computer Security Applications Conference (1999), Phoenix, Arizona
10. Henning R.R., and Corporation H. Security engineering: it is all about control and assurance objectives. In: Warkentin M., and Vaughn R.B. (Eds). Enterprise Information Systems Assurance and System Security (2006), Idea Group Publishing
11. Villarroel R., Fernández-Medina E., and Piattini M. Secure information systems development - a survey and comparison. Computers & Security (2005) 308-321
12. Mellado D., Fernández-Medina E., and Piattini M. A comparative study of proposals for establishing security requirements for the development of secure information systems. The 2006 International Conference on Computational Science and its Applications (ICCSA 2006), Springer LNCS 3982 3 (2006) 1044-1053
13. Moffett J.D., and Nuseibeh B.A. A framework for security requirements engineering. Report YCS (2003), Department of Computer Science, University of York 368
14. Kitchenham B. Procedures for Perfoming Systematic Review. Joint Technical Report, Software Engineering Group, Department of Computer Science Keele University, United Kingdom and Empirical Software Engineering (2004), National ICT Australia Ltd.: Australia
15. Brereton P., Kitchenham B., Budgen D., Turner M., and Khalil M. Lessons from applying the systematic literature review process within the software engineering domain. J. Syst. Software 80 4 (2007) 571-583
16. Kitchenham, B., Guideline for performing Systematic Literature Reviews in Software Engineering. Version 2.3. 2007, University of Keele (Software Engineering Group, School of Computer Science and Mathematics) and Durham (Department of Computer Science).
17. Biolchini J., Mian P.G., Natali A.C.C., and Travassos G.H. Systematic review in software engineering. Systems Engineering and Computer Science Department COPPE / UFRJ: Rio de Janeiro (2005)
18. Firesmith D.G. Engineering security requirements. Journal of Object Technology 2 1 (2003) 53-68
19. Basin D., Doser J., and Lodderstedt T. Model-driven security for process-oriented systems. SACMAT'03 (2003) 100-110
20. Basin D., Doser J., and Lodderstedt T. Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15 1 (2006) 39-91
21. Bresciani P., Giorgini P., Giunchiglia F., Mylopoulos J., and Perini A. Tropos: agent-oriented software development methodology. Journal of Autonomous Agents and Multi-Agent System (2004) 203-236
22. Giorgini P., Massacci F., Mylopoulos J., and Zannone N. Requirements engineering meets trust management: model, methodology, and reasoning. iTrust 2004 (2004) 176-190
23. Giorgini P., Mouratidis H., and Zannone N. Modelling Security and Trust with Secure Tropos, in Integrating Security and Software Engineering: Advances and Future Visions (2006), Idea Group Publishing
24. Ali R., Dalpiaz F., and Giorgini P. Location-based software modeling and analysis: Tropos-based approach, in 27th International Conference on Conceptual Modeling (ER 08) (2008), Springer, Barcelona, Spain
25. Ali R., Dalpiaz F., and Giorgini P. A goal modeling framework for self-contextualizable software, in 14th international conference on exploring modeling methods in systems analysis and design (EMMSAD09) (2009), Springer, Amsterdam, The Netherlands
26. Dalpiaz F., Giorgini P., and Mylopoulos J. An Architecture for Requirements-Driven Self-reconfiguration, in CAiSE (2009) 246-260
27. Massacci F., Prest M., and Zannone N. Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation, in Computers Standards and Interfaces (2005) 445-455
28. Compagna L., Khoury P.E., Krausová A., Massacci F., and Zannone N. How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns. Artif. Intell. Law 17 1 (2009) 1-30
29. Firesmith D.G. Engineering safety-related requirements for software-intensive systems, in Proceedings of the 27th international conference on Software engineering (2005), ACM Press, St. Louis, MO, USA
30. Firesmith D.G. Engineering safety and security related requirements for software intensive systems, in international conference on software engineering. IEEE Computer Society (2007) 169
31. Hussein M., and Zulkernine M. Intrusion detection aware component-based systems: a specification-based framework. J. Syst. Softw. 80 5 (2007) 700-710
32. Jennex M.E. Modeling security requirements for information systems development (2005), SREIS
33. Lee J., Lee J., Lee S., and Choi B. A CC-based Security Engineering Process Evaluation Model. 27th Annual International Computer Software and Applications Conference (COMPSAC'03) (2003) 130
34. Lee S.-W., Gandhi R., Muthurajan D., Yavagal D., and Ahn G.-J. Building problem domain ontology from security requirements in regulatory documents, in Proceedings of the 2006 international workshop on Software engineering for secure systems (2006), ACM Press, Shanghai, China
35. Mead N.R., and Stehney T. Security Quality Requirements Engineering (SQUARE) Methodology. in Software Engineering for Secure Systems (SESS05), ICSE 2005 International Workshop on Requirements for High Assurance Systems (2005) St. Louis
36. Mead N.R., and Hough E.D. Security Requirements Engineering for Software Systems: Case Studies in Support of Software Engineering Education, in CSEE&T (2006) 149-158
37. Abu-Nimeh S., Miyazaki S., and Mead N.R. Integrating privacy requirements into security requirements engineering. SEKE (2009) 542-547
38. Mellado D., Fernández-Medina E., and Piattini M. A common criteria based security requirements engineering process for the development of secure information systems. Computer Standards and Interfaces (2007) 244-253
39. Mellado D., Fernández-Medina E., and Piattini M. Towards security requirements management for software product lines: a security domain requirements engineering process. Computer Standards & Interfaces (2008) 361-371
40. Haley C.B., Laney R., Moffet J.D., and Nuseibeh B. Security requirements engineering: a framework for representation and analysis. IEEE Trans. Software Eng. 34 1 (2008) 133-153
41. Morimoto S., Horie D., and Cheng J. A security requirement management database based on ISO/IEC 15408. ICCSA 2006 (LNCS 3982) 3 (2006) 1-10
42. Horie D., Morimoto S., Azimah N., Goto Y., and Cheng J. ISEDS: an information security engineering database system based on ISO Standards (2008), ARES 1219-1225
43. Myagmar S., Lee A.J., and Yurcik W. Threat modeling as a basis for security requirements (2005), SREIS
44. Peeters J. Agile security requirements engineering (2005), SREIS
45. Popp G., Jürjens J., Wimmel G., and Breu R. Security-critical system development with extended use cases. 10th Asia-Pacific Software Engineering Conference (2003) 478-487
46. Jürjens J. UMLsec: extending UML for secure systems development. UML. The Unified Modeling Language. Model Engineering, Languages,Concepts, and Tools. 5th International Conference., 2002. LNCS 2460 (2002) 412-425
47. Jürjens J., Schreck J., and Yu Y. Automated analysis of permission-based security using UMLsec. Fundamental Approaches to Software Engineering (FASE 2008), held as part of the Joint European Conferences on Theory and Practice of Software (ETAPS 2008) (2008) 292-295
48. Shin M.E., and Gomaa H. Software requirements and architecture modeling for evolving non-secure applications into secure applications. Sci. Comput. Program. 66 1 (2007) 60-70
49. Sindre G., and Opdahl A.L. Eliciting security requirements with misuse cases. Requirements Eng. 10 1 (2005) 34-44
50. Sindre G., Firesmith D.G., and Opdahl A.L. A reuse-based approach to determining security requirements. in Proc. 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'03) (2003) Austria
51. Opdahl, A.L. and G. Sindre, Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology. In Press, Corrected Proof, 2008.
52. Stalhane T., and Sindre G. Safety hazard identification by misuse cases: experimental comparison of text and diagrams (2008), MODELS 721-735
53. Toval A., Nicolás J., Moros B., and García F. Requirements reuse for improving information systems security: a practitioner's approach. Requirements Engineering Journal (2001) 205-219
54. Martínez M., Lasheras J., Toval A., and Piattini M. An audit method of personal data based on requirements engineering. 4th International Workshop on Security in Information Systems - WOSIS (2006)
55. Nicolás J., Lasheras J., Toval A., Ortíz F., and Alvarez B. A collaborative learning experience in modelling the requirements of teleoperated systems for ship hull maintenance, in workshop on learning software organizations and requirements engineering (2006), LSO
56. Lasheras J., Valencia-García R., Fernández-Breis J.T., and Toval A. An ontology-based framework for modelling security requirements, in The 6th International Workshop on Security in Information Systems - WOSIS (2008)
57. Tsoumas B., and Gritzalis D. Towards an ontology-based security management. Proceedings of the 20th International Conference on Advanced Information Networking and Applications. IEEE Computer Society (2006) Volume 1 (AINA'06) - Volume 01 AINA '06
58. Tsoumas B., Papagiannakopoulos P., Dritsas S., and Gritzalis D. Security-by-ontology: a knowledge-centric approach. In: Boston S. (Ed). Security and Privacy in Dynamic Environments (2006) 99-110
59. Yu E. Towards modelling and reasoning support for early-phase requirements engineering. 3 rd IEEE International Symposium on Requirements Engineering (RE'97) (1997) 226-235
60. Yu E., Liu L., and Mylopoulos. A social ontology for integrating security and software engineering, in integrating security and software engineering: advances and future visions (2006), Idea Group Publishing
61. Yu E. Social modeling and i*. In: Borgida A.T., et al. (Ed). Conceptual Modeling: Foundations and Applications - Essays in Honor of John Mylopoulos (2009), Springer 99-121
62. Zuccato A. Holistic security requirement engineering for electronic commerce. Computers and Security (2004) 63-76
63. Zuccato A. Holistic security management framework applied in electronic commerce. Computer & Security 26 3 (2007) 256-265
64. Zuccato A., Endersz V., and Daniels N. Security requirements engineering at a telecom provider (2008), ARES 1139-1147
65. Lamsweerde V. Engineering requirements for system reliability and security, in software system reliability and security. In: Broy M., Grunbauer J., and Hoare C.A.R. (Eds). NATO security through science series-D: information and communication security (2007), IOS Press 196-238
66. Firesmith D.G. Security use cases. Journal of Object Technology (2003) 53-64
67. Best B., Jürjens J., and Nuseibeh B. Model-based security engineering of distributed information systems using UMLSec. ICSE (2007) 581-590
68. Whittle J., Wijesekera D., and Hartong M. Executable misuse cases for modeling security concerns. International Conference on Software Engineering (ICSE'08) (2008) 121-130
69. Braz F.A., Fernandez E.B., and VanHilst M. Eliciting security requirements through misuse activities. 19th International Conference on Database and Expert Systems Application (DEXA 2008) (2008) 328-333
70. CRAMM. CRAMM, United Kingdom Central Computer and Telecommunication Agency. CCTA Risk Analysis and Management Method: User Manual, ver. 5.1 (2005), HMSO
71. COBIT. COBIT, IT Governance Institute. Control Objectives for Information and related Technology (COBIT 4.0) (2005)
72. Khawaja A., and Urban J. A synthesis of evaluation criteria for software specifications and specifications techniques. International Journal of Software Engineering and Knowledge Engineering 12 5 (2002) 581-599
73. IEEE. IEEE 830: 1998 recommended practice for software requirements specifications (1998)
74. Mead N.R. How to compare the Security Quality Requirements Engineering (SQUARE) method with other methods (2007) Volume
75. Hatebur D., Heisel M., and Schmidt H. A formal metamodel for problem frames. 11th international conference on Model Driven Engineering Languages and Systems (ARES'08). Lecture Notes In Computer Science Vol. 5301 (2008) 68-82