Abstract
Nowadays, security solutions are mainly focused on providing security defences, instead of solving one of the main reasons for security problems that refers to an appropriate Information Systems (IS) design. In fact, requirements engineering often neglects enough attention to security concerns. In this paper it will be presented a case study of our proposal, called SREP (Security Requirements Engineering Process), which is a standard-centred process and a reuse-based approach which deals with the security requirements at the earlier stages of software development in a systematic and intuitive way by providing a security resources repository and by integrating the Common Criteria into the software development lifecycle. In brief, a case study is shown in this paper demonstrating how the security requirements for a security critical IS can be obtained in a guided and systematic way by applying SREP.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Baskeville, R.: The development duality of information systems security. Journal of Management Systems 4(1), 1–12 (1992)
Booch, G., Rumbaugh, J., Jacobson, I. (eds.): The Unified Software Development Process. Addison-Wesley, Reading (1999)
Breu, R., Burger, K., Hafner, M., Popp, G.: Towards a Systematic Development of Secure Systems. In: Proceedings WOSIS 2004, pp. 1–12 (2004)
Firesmith, D.G.: Engineering Security Requirements. Journal of Object Technology 2(1), 53–68 (2003)
Firesmith, D.G.: Security Use Cases. Journal of Object Technology, 53–64 (2003)
ISO/IEC_JTC1/SC27. Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management. ISO/IEC 13335 (2004)
ISO/IEC_JTC1/SC27. Information technology - Security techniques - Code of practice for information security management. ISO/IEC 17799 (2005)
ISO/IEC_JTC1/SC27. Information technology - Security techniques - Evaluation criteria for IT security. ISO/IEC 15408:2005 (Common Criteria v3.0) (2005)
Kim, H.-k., Chung, Y.-K.: Automatic Translation Form Requirements Model into Use Cases Modeling on UML. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganá, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3482, pp. 769–777. Springer, Heidelberg (2005)
Kotonya, G., Sommerville, I.: Requirements Engineering Process and Techniques. Hardcovered, 294 (1998)
MAP. Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información (MAGERIT - v 2) (2005) (Ministry for Public dministration of Spain)
Massacci, F., Prest, M., Zannone, N.: Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation. Computers Standards and Interfaces 27, 445–455 (2005)
Dermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Annual Computer Security Applications Conference. Phoenix (Arizona) (1999)
Mellado, D., Fernández-Medina, E., Piattini, M.: A Common Criteria Based Security Requirements Engineering Process for the Development of Secure Information Systems. Computer Standards and Interfaces (2006)
Mellado, D., Fernández-Medina, E., Piattini, M.: A Comparative Study of Proposals for Establishing Security Requirements for the Development of Secure Information Systems. In: Gavrilova, M.L., Gervasi, O., Kumar, V., Tan, C.J.K., Taniar, D., Laganá, A., Mun, Y., Choo, H. (eds.) ICCSA 2006. LNCS, vol. 3982, pp. 1044–1053. Springer, Heidelberg (2006)
Mouratidis, H., Giorgini, P., Manson, G., Philp, I.: A Natural Extension of Tropos Methodology for Modelling Security. In: Workshop on Agent-oriented methodologies, at OOPSLA 2002. Seattle (WA) (2003)
Popp, G., Jürjens, J., Wimmel, G., Breu, R.: Security-Critical System Development with Extended Use Cases. In: 10th Asia-Pacific Software Engineering Conference, pp. 478–487 (2003)
Sindre, G., Firesmith, D.G., Opdahl, A.L.: A Reuse-Based Approach to Determining Security Requirements. In: 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ 2003), Austria (2003)
Toval, A., Nicolás, J., Moros, B., García, F.: Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach. Requirements Engineering Journal, 205–219 (2001)
Walton, J.P.: Developing a Enterprise Information Security Policy. In: Proceedings of the 30th annual ACM SIGUCCS conference on User services. ACM Press, New York (2002)
Yu, E.: Towards Modelling and Reasoning Support for Early-Phase Requirements Engineering. In: A3rd IEEE International Symposium on Requirements Engineering (RE 1997), pp. 226–235 (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mellado, D., Fernández-Medina, E., Piattini, M. (2006). Applying a Security Requirements Engineering Process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds) Computer Security – ESORICS 2006. ESORICS 2006. Lecture Notes in Computer Science, vol 4189. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11863908_13
Download citation
DOI: https://doi.org/10.1007/11863908_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44601-9
Online ISBN: 978-3-540-44605-7
eBook Packages: Computer ScienceComputer Science (R0)