Quality Needs Structure: Industrial Experiences in Systematically Defining Software Security Requirements

  • Christian Frühwirth
  • Richard Mordinyi
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 94)


Successful, quality software projects need to be able to rely on a sufficient level of security in order to manage the technical, legal and business risks that arise from distributed development. The definition of a ‘sufficient’ level of security however, is typically only captured in implicit requirements that are rarely gathered in a methodological way. Such an unstructured approach makes the work of quality managers incredibly difficult and often forces developers to unwillingly operate in an unclear/undefined security state throughout the project. Ideally, security requirements are elicited in methodological manner enabling a structured storage, retrieval, or checking of requirements. In this paper we report on the experiences of applying a structured requirements elicitation method and list a set of gathered reference security requirements. The reported experiences were gathered in an industrial setting using the open source platform OpenCIT in cooperation with industry partners. The output of this work enables security and quality conscious stakeholders in a software project to draw from our experiences and evaluate against a reference base line.


Distributed Software Engineering Security Requirements 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biffl, S., Mordinyi, R., Moser, T.: Automated Derivation of Configurations for the Integration of Software(+) Engineering Environments. Paper presented at the 1st International Workshop on Automated Configuration and Tailoring of Applications, ACoTA 2010 (2010)Google Scholar
  2. 2.
    Fruehwirth, C., Biffl, S., Tabatabai, M., Weippl, E.: Addressing misalignment between information security metrics and business-driven security objectives. Paper presented at the Proceedings of the 6th International Workshop on Security Measurements and Metrics, Bolzano, Italy (2010)Google Scholar
  3. 3.
    Frühwirth, C., Biffl, S., Schatten, A., Schrittwieser, S., Weippl, E., Sunindyo, W.: Research Challenges in the Security Design and Evaluation of an Engineering Service Bus Platform. Paper presented at the 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), Lille, France (2010)Google Scholar
  4. 4.
    Frühwirth, C., Mordinyi, R., Biffl, S.: Systematic Definition of Security Requirements by means of Misuse Cases in Multi-Engineering Domains, Christian Doppler Laboratory, Vienna University of Technology (2011),
  5. 5.
    Harris, S.: CISSP All-in-One Exam Guide. McGraw-Hill (2008)Google Scholar
  6. 6.
    Herbsleb, J.D.: Global Software Engineering: The Future of Socio-technical Coordination. Paper presented at the 2007 Future of Software Engineering (2007)Google Scholar
  7. 7.
    Kang, M.H., Park, J.S., Froscher, J.N.: Access control mechanisms for inter-organizational workflow. Paper presented at the Proceedings of the sixth ACM Symposium on Access Control Models and Technologies, Chantilly, Virginia, United States (2001)Google Scholar
  8. 8.
    Keblawi, F., Sullivan, D.: Applying the Common Criteria in Systems Engineering. IEEE Security and Privacy 4(2), 50–55 (2006), doi:10.1109/msp.2006.35Google Scholar
  9. 9.
    Long, D.L., Baker, J., Fung, F.: A prototype secure workflow server. In: Proceedings of 15th Annual Computer Security Applications Conference (ACSAC 1999), pp. 129–133 (1999)Google Scholar
  10. 10.
    Mellado, D., Fern, E., Medina, N., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput Stand Interfaces 29(2), 244–253 (2007), doi:10.1016/j.csi.2006.04.002Google Scholar
  11. 11.
    Mordinyi, R., Moser, T., Biffl, S., Dhungana, D.: Flexible Support for Adaptable Software and Systems Engineering Processes. Paper presented at the Proceedings of the 23rd International Conference on Software Engineering and Knowledge Engineering (SEKE 2011), USA (2011)Google Scholar
  12. 12.
    Moser, T., Biffl, S.: Semantic Tool Interoperability for Engineering Manufacturing Systems. Paper presented at the 15th IEEE International Conference on Emerging Techonologies and Factory Automation (ETFA 2010) (2010)Google Scholar
  13. 13.
    Moser, T., Mordinyi, R., Sunindyo, W.D., Biffl, S.: Semantic Service Matchmaking in the ATM Domain Considering Infrastructure Capability Constraints. In: Du, W., Ensan, F. (eds.) Canadian Semantic Web: Technologies and Applications, pp. 133–157. Springer, Heidelberg (2010)Google Scholar
  14. 14.
    Mut-Puigserver, M., Payeras-Capellà, M.M., Ferrer-Gomila, J.L., Huguet-Rotger, L.: Replay Attack in a Fair Exchange Protocol. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 174–187. Springer, Heidelberg (2008)Google Scholar
  15. 15.
    Systems Security Engineers - Capability Maturity Model,
  16. 16.
    Tondel, I.A., Jaatun, M.G., Meland, P.H.: Security Requirements for the Rest of Us: A Survey. IEEE Softw. 25(1), 20–27 (2008), doi:10.1109/ms.2008.19Google Scholar
  17. 17.
    Zimmermann, H.: OSI reference model\—The ISO model of architecture for open systems interconnection. In: Innovations in Internetworking, pp. 2–9. Artech House, Inc. (1988)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Christian Frühwirth
    • 1
  • Richard Mordinyi
    • 2
  1. 1.Software Business Lab, BIT Research CenterAaalto University – School of Science and TechnologyEspooFinland
  2. 2.Christian Doppler Laboratory “Software Engineering Integration for Flexible Automation Systems”Vienna University of TechnologyViennaAustria

Personalised recommendations