Requirements Engineering

, Volume 15, Issue 1, pp 63–93 | Cite as

Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec

  • Siv Hilde Houmb
  • Shareeful IslamEmail author
  • Eric KnaussEmail author
  • Jan Jürjens
  • Kurt Schneider
Special Issue - Security Requirements Engineering


Building secure systems is difficult for many reasons. This paper deals with two of the main challenges: (i) the lack of security expertise in development teams and (ii) the inadequacy of existing methodologies to support developers who are not security experts. The security standard ISO 14508 Common Criteria (CC) together with secure design techniques such as UMLsec can provide the security expertise, knowledge, and guidelines that are needed. However, security expertise and guidelines are not stated explicitly in the CC. They are rather phrased in security domain terminology and difficult to understand for developers. This means that some general security and secure design expertise are required to fully take advantage of the CC and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution design, which is needed for proof of requirements fulfilment. This paper describes a security requirements engineering methodology called SecReq. SecReq combines three techniques: the CC, the heuristic requirements editor HeRA, and UMLsec. SecReq makes systematic use of the security engineering knowledge contained in the CC and UMLsec, as well as security-related heuristics in the HeRA tool. The integrated SecReq method supports early detection of security-related issues (HeRA), their systematic refinement guided by the CC, and the ability to trace security requirements into UML design models. A feedback loop helps reusing experience within SecReq and turns the approach into an iterative process for the secure system life-cycle, also in the presence of system evolution.


Security requirement elicitation Common Criteria (CC) UMLsec Heuristics Secure design 



This work was partly supported by the Royal Society Industrial Fellowship on Automated Verification of Security-Critical Software (VeriSec), the Royal Society Joint International Project on Model-based Formal Security Analysis of Crypto-Protocol Implementations, the EU FP7 Integrated Project Security Engineering for Lifelong Evolvable Systems, the German Research foundation(DFG project InfoFLOW, 2008–2011), and the EU project SecureChange (ICT-FET-231101).


  1. 1.
    Davis AM (2005) Just enough requirements management: where software development meets marketing. Dorset House Publishing, New YorkGoogle Scholar
  2. 2.
    Polanyi M (1966) The tacit dimension. Doubleday, Garden CityGoogle Scholar
  3. 3.
    Lindstaedt SN, Schneider K (1997) Bridging the gap between face-to-face communication and long-term collaboration. In: Proceedings of the international ACM SIGGROUP conference on supporting group work. Phoenix, USA, Nov ACMGoogle Scholar
  4. 4.
    Damian D, Izquierdo L, Singer J, Kwan I (2007) Awareness in the wild: why communication breakdowns occur. In: Proceedings of second international conference on global software engineering. Munich, Germany, pp 81–90Google Scholar
  5. 5.
    ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2, CCMB-2007-09-001, CCMB-2007-09-002 and CCMB-2007-09-003, September 2007Google Scholar
  6. 6.
    ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2: part 1; General Model, CCMB-2007-09-001, September 2007Google Scholar
  7. 7.
    Knauss E, Lübke D, Meyer S (2009) Feedback-driven requirements engineering: the HeRA. In: International conference on software engineering (ICSE’09), formal research demonstrations track. Vancouver, CanadaGoogle Scholar
  8. 8.
    Department of Defense (1985) DoD 5200.28-STD: trusted computer system evaluation criteria. (August 15)Google Scholar
  9. 9.
    Government of Canada (1993) The Canadian trusted computer product evaluation criteria (January)Google Scholar
  10. 10.
    Department of Trade and Industry (2003) The national technical authority for information assurance (June 2003).
  11. 11.
    Common Methodology for Information Technology Security Evaluation, Evaluation methodology, Version 3.2, Revision 2, CCMB-2009-09-004, September 2007Google Scholar
  12. 12.
    ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2: part 2; security functional components, CCMB-2007-09-002, September 2007Google Scholar
  13. 13.
    ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2: part 3; security assurance components, CCMB-2007-09-003, September 2007Google Scholar
  14. 14.
    ISO 15408:2007 (2007) Common Criteria for information technology security evaluation: evaluation methodology, version 3.1, revision 2, CCMB-2007-09-004 (September)Google Scholar
  15. 15.
    Berzins V, Martell LC, Adams P (2007) Innovations in natural language document processing for requirements engineering. In: Paech B, Martell C (eds) Innovations for requirement analysis. From stakeholders’ needs to formal designs: 14th monterey workshop 2007. Lecture notes in computer science. Springer, Berlin, pp 125–146Google Scholar
  16. 16.
    Knauss E, Schneider K, Stapel K (2009) Learning to write better requirements through heuristic critiques. In: Proceedings of 17th IEEE requirementes engineering conference (RE 2009). Atlanta, USAGoogle Scholar
  17. 17.
    Fischer G (1994) Domain-oriented design environments. Automat Softw Eng 1:177–203CrossRefGoogle Scholar
  18. 18.
    Schön DA (1983) The reflective practitioner: how professionals think in action. Basic Books, New YorkGoogle Scholar
  19. 19.
    Fischer G (1998) Seeding, evolutionary growth and reseeding: constructing, capturing and evolving knowledge in domain-oriented design environments. Automat Softw Eng 5:447–464CrossRefGoogle Scholar
  20. 20.
    Knauss E, Flohr T (2007) Managing requirement engineering processes by adapted quality gateways and critique-based RE-tools. In: Proceedings of workshop on measuring requirements for project and product success. Palma de Mallorca, Spain (November, in conjunction with the IWSM-Mensura Conference)Google Scholar
  21. 21.
    Cockburn A (2000) Writing effective use cases. Addison-Wesley Professional, LondonGoogle Scholar
  22. 22.
    Schneider K, Stapel K, Knauss E (2008) Beyond documents: visualizing informal communication. In: Proceedings of third international workshop on requirements engineering visualization (REV 08). Barcelona, SpainGoogle Scholar
  23. 23.
    Jürjens J (2005) Secure systems development with UML. Springer, HeidelbergzbMATHGoogle Scholar
  24. 24.
    Jürjens J (2000) Secure information flow for concurrent processes. In: Palamidessi C (ed) CONCUR 2000 (11th international conference on concurrency theory), vol 1877 of lecture notes in computer science. Springer, pp 395–409Google Scholar
  25. 25.
    Jürjens J (2002) Formal semantics for interacting UML subsystems. In: Jacobs B, Rensink A (eds) 5th International conference on formal methods for open object-based distributed systems (FMOODS 2002). International federation for information processing (IFIP). Kluwer, pp 29–44Google Scholar
  26. 26.
    Deubler M, Grünbauer J, Jürjens J, Wimmel G (2004) Sound development of secure service-based systems. In: Marco A, Aoyama M, Curbera F, Papazoglou MP (eds) Proceedings of the 2nd international conference on service oriented computing(ICSOC). ACM, pp 115–124Google Scholar
  27. 27.
    Chung L (1993) Dealing with security requirements during the development of information systems. In: 5th International conference on advanced information systems engineering (CAiSE 1993). Springer, pp 234–251Google Scholar
  28. 28.
    Jürjens J (2002) Using UMLsec and goal-trees for secure systems development. In: Lamont GB, Haddad H, Papadopoulos G, Panda B (eds) Proceedings of the 2002 symposium of applied computing (SAC). ACM Press, pp 1026–1031Google Scholar
  29. 29.
    Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng J 10(1):34–44CrossRefGoogle Scholar
  30. 30.
    McDermott JP, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of the 15th annual computer security applications conference. IEEE Computer Society, p 55Google Scholar
  31. 31.
    Mouratidis H, Giorgini P, Manson GA (2005) Integrating security and systems engineering: towards the modelling of secure information systems. In: Eder J, Missikoff M (eds) 15th International conference on advanced information systems engineering (CAiSE 2003), vol 2681 of lecture notes in computer science. Springer, pp 63–78Google Scholar
  32. 32.
    Massacci F, Mylopoulos J, Zannone N (2007) Computer-aided support for secure tropos. Automat Softw Eng 14(3):341–364CrossRefGoogle Scholar
  33. 33.
    Mouratidis H, Jürjens J, Fox J (2006) Towards a comprehensive framework for secure systems development. In: Dubois E, Pohl K (eds) CAiSE, vol 4001 of lecture notes in computer science. Springer, Luxembourg, pp 48–62Google Scholar
  34. 34.
    Mannion M, Keepence B (1995) SMART requirements. ACM SIGSOFT: SE Notes 20(2):42–47CrossRefGoogle Scholar
  35. 35.
    ETSI TISPAN (2008) ETSI TS 182 027 V.2.0.0: IPTV Architecture; IPTV functions supported by the IMS subsystem. Standard, FebruaryGoogle Scholar
  36. 36.
    ETSI TISPAN (2008) ETSI TS 182 028 V.2.0.0: IPTV architecture; dedicated subsystem for IPTV functions. Standard, JanuaryGoogle Scholar
  37. 37.
    UMLsec tool, 2001-08.
  38. 38.
    TISPAN, ETSI (2006) Telecommunications and internet converged services and protocols for advanced networking (TISPAN): methods and protocols; part 1: method and proforma for threat, risk, vulnerability analysis. Technical report ETSI TS 102 165-1 V4.2.1, European Telecommunications Standards InstituteGoogle Scholar
  39. 39.
    Rossebø JE, Cadzow S, Sijben P (2007) eTVRA, a threat, vulnerability and risk assessment method and tool for eEurope. In: ARES ’07: proceedings of the the second international conference on availability, reliability and security. IEEE Computer Society, pp 925–933Google Scholar
  40. 40.
    Winkler S (2007) Information flow between requirement artifacts. In: Proceedings of REFSQ 2007 international working conference on requirements engineering: foundation for software quality, vol 4542 of lecture notes in computer science. Trondheim, Norway. Springer, Berlin, pp 232–246Google Scholar
  41. 41.
    Damian D, Marczak S, Kwan I (2007) Collaboration patterns and the impact of distance on awareness in requirements-centred social networks. In: Proceedings of 15th IEEE international requirements engineering conference (RE 2007). New DelhiGoogle Scholar
  42. 42.
    Stapel K, Schneider K, Lübke D, Flohr T (2007) Improving an industrial reference process by information flow analysis: a case study. In: Proceedings of PROFES 2007, vol 4589 of LNCS. Riga, Latvia. Springer, Berlin, pp 147–159Google Scholar
  43. 43.
    Allmann C, Winkler L, Kölzow T (2006) The requirements engineering gap in the OEM-supplier relationship. J Univers Knowl Manage 1(2):103–111Google Scholar
  44. 44.
    Stapel K, Knauss E, Allmann C (2008) Lightweight process documentation: just enough structure in automotive pre-development. In: O’Connor Rory V, Baddoo N, Smolander K, Messnarz R (eds) Proceedings of the 15th European conference, EuroSPI, communications in computer and information science. Dublin, Ireland, 9. Springer, pp 142–151Google Scholar
  45. 45.
    Schneider K (2007) Generating fast feedback in requirements elicitation. In: Requirements engineering: foundation for software quality (REFSQ 2007)Google Scholar
  46. 46.
    Fabbrini F, Fusani M, Gnesi S, Lami G (2001) The linguistic approach to the natural language requirements quality: benefit of the use of an automatic tool. In: SEW ’01: proceedings of the 26th annual NASA goddard software engineering workshop. IEEE Computer Society, Washington, DC, p 97Google Scholar
  47. 47.
    Wilson WM, Rosenberg LH, Hyatt LE (1996) Automated quality analysis of natural language requirement specifications. In Proceedings of PNSQC conferenceGoogle Scholar
  48. 48.
    Melchisedech R (2000) Verwaltung und Prüfung natürlichsprachlicher Spezifikationen. PhD thesis, Fakultät Informatik, Universität Stuttgart, StuttgartGoogle Scholar
  49. 49.
    Fabbrini F, Fusani M, Gnesi S, Lami G (2001) An automatic quality evaluation for natural language requirements. In: Proceedings of the seventh international workshop on RE: foundation for software quality (REFSQ 2001). Interlaken, SwitzerlandGoogle Scholar
  50. 50.
    Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20CrossRefGoogle Scholar
  51. 51.
    Schumacher M, Buglioni EF, Hybertson D, Buschmann F, Sommerlad P (2006) Security patterns: integrating security and systems engineering. Wiley, LondonGoogle Scholar
  52. 52.
    Toval A, Nicolás J, Morosa B, García F (2002) Requirements reuse for improving information systems security: a practitioner’s approach. Requir Eng J 6:205–219zbMATHCrossRefGoogle Scholar
  53. 53.
    Crook R, Ince DC, Lin L, Nuseibeh B (2002) Security requirements engineering: when anti-requirements hit the fan. In: Proceedings of the 10th anniversary IEEE joint international conference on requirements engineering. IEEE Computer Society, pp 203–205Google Scholar
  54. 54.
    Haley CB, Laney RC, Moffett JD, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133–153CrossRefGoogle Scholar
  55. 55.
    Giorgini P, Massacci F, Mylopoulos J (2003) Requirement engineering meets security: a case study on modelling secure electronic transactions by VISA and Mastercard. In: Song I-Y, Liddle SW, Ling TW, Scheuermann P (eds) 22nd International conference on conceptual modeling (ER 2003), vol 2813 of lecture notes in computer science. Springer, pp 263–276Google Scholar
  56. 56.
    Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005) Modeling security requirements through ownership, permission and delegation. In: Proceedings of the 13th IEEE international conference on requirements engineering. IEEE Computer Society, pp 167–176Google Scholar
  57. 57.
    Mellado D, Medinav, Piattini M (2007) A common criteria based security requirements engineering process for the development of secure information system. Comput Stand Interfaces 29:244–253CrossRefGoogle Scholar
  58. 58.
    Mead NR, Steheny T (2005) Security quality requirements engineering (square) methodology. SIGSOFT Softw Eng Notes 30(4):1–7CrossRefGoogle Scholar
  59. 59.
    ISO/IEC 27001:2005 (2005) Specification for information security management (October)Google Scholar
  60. 60.
    Islam S, Dong W (2008) Security requirements addressing security risks for improving software quality. In: Workshop-band software-Qualitätsmodellierung und—bewertung (SQMB ’08), Technical report TUM-I0811, Technische Universität München, Munich, GermanyGoogle Scholar
  61. 61.
    Islam S, Dong W (2008) Human factors in software security risk management. In: LMSA ’08: proceedings of the first international workshop on leadership and management in software architecture. ACM, New York, pp 13–16Google Scholar
  62. 62.
    Whittle J, Wijesekera D, Hartong M (2008) Executable misuse cases for modeling security concerns. In: ICSE ’08: proceedings of the 30th international conference on Software engineering. ACM, New York, pp 121–130Google Scholar
  63. 63.
    Yskout K, Scandariato R, Win BD, Joosen W (2008) Transforming security requirements into architecture. In: International conference on availability, reliability and security. pp 1421–1428Google Scholar
  64. 64.
    Arenas A, Aziz B, Bicarregui J, Matthews B, Yang EY (2008) Modelling security properties in a grid-based operating system with anti-goals. In: Proceedings of the 2008 third international conference on availability, reliability and security (ARES). pp 1429–1436Google Scholar
  65. 65.
    Elahi G, Yu E (2007) A goal oriented approach for modeling and analyzing security trade-offs. In: ER 2007, vol 4801 of lecture notes in computer science. Springer, pp 375–390Google Scholar
  66. 66.
    Flechais I, Mascolo C, Sasse MA (2007) Integrating security and usability into the requirements and design process. Int J Electron Secur Digit Forensics 1(1):12–26CrossRefGoogle Scholar
  67. 67.
    Baldwin A, Beres Y, Shiu S, Kearney P (2006) A model based approach to trust, security and assurance. BT Technol J 24(4):53–68CrossRefGoogle Scholar
  68. 68.
    Kearney P, Brügger L (2007) A risk-driven security analysis method and modelling language. BT Technol J 25(1) JanuaryGoogle Scholar
  69. 69.
    Ray I, France RB, Li Na, Georg G (2004) An aspect-based approach to modeling access control concerns. Inf Softw Technol 46(9):575–587CrossRefGoogle Scholar
  70. 70.
    Houmb SH, Georg G, France RB, Bieman JM, Jürjens J (2005) Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development. In: Proceedings of the 10th IEEE international conference on engineering of complex computer systems. IEEE Computer Society, pp 195–204Google Scholar
  71. 71.
    Basin DA, Doser J, Lodderstedt T (2006) Model driven security: from UML models to access control infrastructures. ACM Trans Softw Eng Methodol 15(1):39–91CrossRefGoogle Scholar
  72. 72.
    Brucker AD, Doser J, Wolff B (2006) A model transformation semantics and analysis methodology for SecureUML. In: MoDELS 2006, vol 4199 of lecture notes in computer science. Springer, pp 306–320Google Scholar
  73. 73.
    Alam M, Hafner M, Memon M, Hung P (2007) Modeling and enforcing advanced access control policies in healthcare systems with SECTET. In: Sztipanovits J, Breu R, Ammenwerth E, Bajcsy R, Mitchell JC, Pretschner A (eds) Workshop on model-based trustworthy health information systems (MOTHIS@Models)Google Scholar
  74. 74.
    Alam M, Hafner M, Breu R (2007) Model-driven security engineering for trust management in SECTET. J Softw 2(1):47–59Google Scholar
  75. 75.
    Breu R, Burger K, Hafner M, Jürjens J, Popp G, Wimmel G, Lotz V (2003) Key issues of a formally based process model for security engineering. In: 16th International conference “Software & Systems Engineering & their Applications” (ICSSEA 2003)Google Scholar
  76. 76.
    Jürjens J, Shabalin P (2007) Tools for secure systems development with UML. Int J Softw Tools Technol Transf 9(5–6):527–544 (October 2007. Invited submission to the special issue for FASE 2004/05)Google Scholar
  77. 77.
    Best B, Jürjens J, Nuseibeh B (2007) Model-based security engineering of distributed information systems using UMLsec. In: 29th International conference on software engineering (ICSE 2007). ACM, pp 581–590Google Scholar
  78. 78.
    Jürjens J, Rumm R (2008) Model-based security analysis of the german health card architecture. Methods Inf Med 47(5):409–416 (special section on model-based development of trustworthy health information systems)Google Scholar
  79. 79.
    Jürjens J, Schreck J, Bartmann P (2008) Model-based security analysis for mobile communications. In: 30th International conference on software engineering (ICSE 2008). ACMGoogle Scholar
  80. 80.
    Yu Y, Jürjens J, Mylopoulos J (2008) Traceability for the maintenance of secure software. In: 24th International conference on software maintenance (ICSM). IEEE Computer SocietyGoogle Scholar

Copyright information

© Springer-Verlag London Limited 2009

Authors and Affiliations

  1. 1.Connected Objects Laboratory, Service Platform GroupTrondheimNorway
  2. 2.Fakultät für InformatikTechnische Universität MünchenGarchingGermany
  3. 3.Software Engineering GroupLeibniz Universität HannoverHannoverGermany
  4. 4.Chair for Software Engineering(14)Technische Universität DortmundDortmundGermany

Personalised recommendations