Abstract
Context & motivation: More and more software projects today are security-related in one way or the other. Many environments are initially not considered security-related and no security experts are assigned. Requirements engineers often fail to recognise indicators for security problems. Question/problem: Ignoring security issues early in a project is a major source of recurring security problems in practice. Identifying security-relevant requirements is labour-intensive and error-prone. Security may be neglected in order to finish on time and in budget. Principal ideas/results: In this paper, we address this problem by presenting a tool-supported method that provides assistance for requirements engineering, with an emphasis on security requirements. We investigate whether security-relevant requirements can be automatically identified using a Bayesian classifier. Our results indicate that this is feasible, in particular if the classifier is trained with domain specific data and documents from previous projects. Contribution: We show how the ability to identify security-relevant requirements can be integrated in a workflow of requirements analysis and reuse of experience. In practice, this can increase security awareness within the software development process. We discuss limitations and potential of this approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
International Standardization Organization. ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2, CCMB-2007-09-001, CCMB-2007-09-002 and CCMB-2007-09-003 (September 2007)
Houmb, S.H., Islam, S., Knauss, E., Jürens, J., Schneider, K.: Eliciting Security Requirements and Tracing them to Design: An Integration of Common Criteria, Heuristics, and UMLsec. Requirements Engineering Journal 15(1), 63–93 (2010)
Knauss, E., Lübke, D., Meyer, S.: Feedback-Driven Requirements Engineering: The Heuristic Requirements Assistant. In: International Conference on Software Engineering (ICSE 2009), Formal Research Demonstrations Track, Vancouver, Canada, pp. 587–590 (2009)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Schneider, K., Stapel, K., Knauss, E.: Beyond Documents: Visualizing Informal Communication. In: Proceedings of Third International Workshop on Requirements Engineering Visualization (REV 2008), Barcelona, Spain (2008)
den Braber, F., Hogganvik, I., Lund, M., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps - a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)
Barber, B., Davey, J.: The use of the CCTA risk-analysis and management methodology [CRAMM] in health information systems. In: Degoulet, P., Lun, K., Piemme, T., Rienhoff, O. (eds.) MEDINFO 1992, pp. 1589–1593. Elsevier, North-Holland (1992)
Alberts, C., Dorofee, A.: Managing Information Security Risks: The OCTAVE (TM) Approach. Addison-Wesley, New York (2002)
Chantree, F., Nuseibeh, B., de Roeck, A., Willis, A.: Identifying Nocuous Ambiguities in Natural Language Requirements. In: Proceedings of the 14th IEEE International Requirements Engineering Conference, Minneapolis, USA, pp. 56–65. IEEE Computer Society, Los Alamitos (2006)
Kiyavitskaya, N., Zeni, N., Mich, L., Berry, D.M.: Requirements for tools for ambiguity identification and measurement in natural language requirements specifications. Requirements Engineering Journal 13(3), 207–239 (2008)
Graham, P.: A Plan for Spam (2002) Web (January 2011), http://www.paulgraham.com/spam.html
Rennie, J.D.M., Shih, L., Teevan, J., Karger, D.R.: Tackling the Poor Assumptions of Naive Bayes Text Classifiers. In: Proceedings of the Twentieth International Conference on Machine Learning (ICML 2003), Washington, DC (2003)
Russell, S., Norvig, P.: Artificial Intelligence: a Modern Approach. Prentice Hall, New Jersey (1995)
Ireson, N., Ciravegna, F., Califf, M.E., Freitag, D., Kushmerick, N., Lavelli, A.: Evaluating machine learning for information extraction. In: ICML 2005: Proceedings of the 22nd International Conference on Machine Learning, Bonn, Germany, pp. 345–352. ACM, New York (2005)
Weiss, S.M., Kulikowski, C.A.: Computer systems that learn: classification and prediction methods from statistics, neural nets, machine learning, and expert systems. M. Kaufmann Publishers, San Mateo (1991)
Baeza-Yates, R., Ribeiro-Neto, B.: Modern Information Retrieval. ACM Press, Addison Wesley (1999)
CEPSCO: Common Electronic Purse Specification (ePurse), http://web.archive.org/web/ , http://www.cepsco.com (accessed April 2007)
TISPAN, ETSI: Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Services requirements and capabilities for customer networks connected to TISPAN NGN. Technical report, European Telecommunications Standards Institute
GlobalPlatform: Global Platform Specification (GPS), http://www.globalplatform.org (accessed August 2010)
Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation In Software Engineering: An Introduction. Kluwer Academic Publishers, Boston (2000)
Chung, L.: Dealing with Security Requirements During the Development of Information Systems. In: Rolland, C., Cauvet, C., Bodart, F. (eds.) CAiSE 1993. LNCS, vol. 685, pp. 234–251. Springer, Heidelberg (1993)
Dubois, E., Wu, S.: A framework for dealing with and specifying security requirements in information systems. In: Katsikas, S.K., Gritzalis, D. (eds.) SEC. IFIP Conference Proceedings, vol. 54, pp. 88–99. Chapman & Hall, Boca Raton (1996)
Lin, L., Nuseibeh, B., Ince, D.C., Jackson, M., Moffett, J.D.: Introducing Abuse Frames for Analysing Security Requirements. In: RE, pp. 371–372. IEEE Computer Society, Los Alamitos (2003)
Giorgini, P., Massacci, F., Mylopoulos, J.: Requirement engineering meets security: A case study on modelling secure electronic transactions by VISA and mastercard. In: Song, I.-Y., Liddle, S.W., Ling, T.-W., Scheuermann, P. (eds.) ER 2003. LNCS, vol. 2813, pp. 263–276. Springer, Heidelberg (2003)
Heitmeyer, C.L., Archer, M., Leonard, E.I., McLean, J.: Applying Formal Methods to a Certifiably Secure Software System. IEEE Trans. Software Eng. 34(1), 82–98 (2008)
Berry, D., Kamsties, E.: 2. Ambiguity in Requirements Specification. In: Perspectives on Requirements Engineering, pp. 7–44. Kluwer, Dordrecht (2004)
Kof, L.: Text Analysis for Requirements Engineering. PhD thesis, Technische Universität München, München (2005)
Lee, S.W., Muthurajan, D., Gandhi, R.A., Yavagal, D.S., Ahn, G.J.: Building Decision Support Problem Domain Ontology from Natural Language Requirements for Software Assurance. International Journal of Software Engineering and Knowledge Engineering 16(6), 851–884 (2006)
Kiyavitskaya, N., Zeni, N., Breaux, T.D., Antón, A.I., Cordy, J.R., Mich, L., Mylopoulos, J.: Automating the extraction of rights and obligations for regulatory compliance. In: Li, Q., Spaccapietra, S., Yu, E., Olivé, A. (eds.) ER 2008. LNCS, vol. 5231, pp. 154–168. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Knauss, E., Houmb, S., Schneider, K., Islam, S., Jürjens, J. (2011). Supporting Requirements Engineers in Recognising Security Issues. In: Berry, D., Franch, X. (eds) Requirements Engineering: Foundation for Software Quality. REFSQ 2011. Lecture Notes in Computer Science, vol 6606. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19858-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-19858-8_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19857-1
Online ISBN: 978-3-642-19858-8
eBook Packages: Computer ScienceComputer Science (R0)