Skip to main content
SpringerLink
Log in

Using security robustness analysis for early-stage validation of functional security requirements

  • Original Article
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Security is nowadays an indispensable requirement in software systems. Traditional software engineering processes focus primarily on business requirements, leaving security as an afterthought to be addressed via generic “patched-on” defensive mechanisms. This approach is insufficient, and software systems need to have security functionality engineered within in a similar fashion as ordinary business functional requirements. Functional security requirements need to be elicited, analyzed, specified and validated at the early stages of the development life cycle. If the functional security requirements were not properly validated, then there is a risk of developing a system that is insecure, deeming it unusable. Acceptance testing is an effective technique to validate requirements. However, an ad hoc approach to develop acceptance tests will suffer the omission of important tests. This paper presents a systematic approach to develop executable acceptance tests that is specifically geared for model-based secure software engineering processes. The approach utilizes early-stage artifacts, namely misuse case and domain models, and robustness diagrams. The feasibility of the proposed approach is demonstrated by applying it to a real-world system. The results show that a comprehensive set of security acceptance tests can be developed based upon misuse case models for early-stage validation of functional security requirements.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21

Similar content being viewed by others

References

  1. Jürjens J, Juerjens J (2005) Secure systems development with UML. Springer, Berlin

    MATH  Google Scholar 

  2. Sauvé JP, Abath Neto OL, Cirne W (2006) Easyaccept: a tool to easily create, run and drive development with automated acceptance tests. In: Proceedings on 2006 international workshop automation and software testing ACM, pp 111–117

  3. Mantei MM, Teorey TJ (1988) Cost/benefit analysis for incorporating human factors in the software lifecycle. Commun ACM 31:428–439

    Article  Google Scholar 

  4. Cohn M (2004) User stories applied: for agile software development. Addison-Wesley Professional, Reading

  5. Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng 10:34–44

    Article  Google Scholar 

  6. Alexander I (2002) Initial industrial experience of misuse cases in trade-off analysis. In: Requirement Engineering 2002—proceedings on IEEE joint international conference, pp 61–68

  7. Den Braber F, Dimitrakos T, Gran BA et al (2002) Model-based risk management using UML and UP. Issues Trends Inf Technol Manag Contemp Organ

  8. Houmb SH, Den Braber F, Lund MS, Stølen K (2002) Towards a UML profile for model-based risk assessment. In: Critical system development with UML—proceedings UML’02 workshop. Citeseer, pp 79–91

  9. Karpati P, Redda Y, Opdahl AL, Sindre G (2014) Comparing attack trees and misuse cases in an industrial setting. Inf Softw Technol 56:294–308. doi:10.1016/j.infsof.2013.10.004

    Article  Google Scholar 

  10. Raspotnig C, Opdahl A (2013) Comparing risk identification techniques for safety and security requirements. J Syst Softw 86:1124–1151

    Article  Google Scholar 

  11. Sindre G, Opdahl AL, Brevik GF (2002) Generalization/specialization as a structuring mechanism for misuse cases. Proc. 2nd symposium on requirements engineering: information security SREIS’02, Raleigh, North Carol

  12. Sindre G, Opdahl AL (2001) Templates for misuse case description. In: Proceedings of 7th international workshop on requirements engineering: foundation for software quality. REFSQ2001 Switz

  13. Kroll P, Kruchten P (2003) The rational unified process made easy: a practitioner’s guide to the RUP. Addison-Wesley Professional, Reading

  14. Kulak D, Guiney E (2000) Use cases: requirements in context. Addison-Wesley, Reading

  15. Basanieri F, Bertolino A, Marchetti E (2002) The cow_suite approach to planning and deriving test suites in UML projects. ≪ UML ≫ 2002—unified modeling language. Springer, Berlin, pp 383–397

  16. Briand L, Labiche Y (2002) A UML-based approach to system testing. Softw Syst Model 1:10–42

    Article  Google Scholar 

  17. Nebut C, Fleurey F, Le Traon Y, Jezequel J-M (2006) Automatic test generation: a use case driven approach. Softw Eng IEEE Trans 32:140–155

    Article  Google Scholar 

  18. Ryser J, Glinz M (1999) A scenario-based approach to validating and testing software systems using statecharts. In: Proceedings 12th international conference on software, systems engineering and their application.

  19. International Institute of Business Analysts: Business Analysts Body of Knowledge. www.iiba.org/babok-guide.aspx. Version 2.0. Last accessed March 2014

  20. El-Attar M, Elish MO, Mahmood S, Miller J (2012) Is in-depth object-oriented knowledge necessary to develop quality robustness diagrams? J. Softw 7(11):2538–2552

    Article  Google Scholar 

  21. El-Attar M, Miller J (2010) Developing comprehensive acceptance tests from use cases and robustness diagrams. Requir Eng 15:285–306

    Article  Google Scholar 

  22. Sindre G (2007) Mal-activity diagrams for capturing attacks on business processes. Requirements engineering: foundation for software quality. Springer, Berlin, pp 355–366

  23. Kariyuki, S. et al (2011) Acceptance testing based on relationships among use cases. In: Proceedings of 5th world congress for software quality, 2011.

  24. Stephens M, Rosenberg D (2010) Design Driven Testing: Test Smarter, Not Harder. Apress

  25. Roubtsov S (2006) Use case-based acceptance testing of a large industrial system: approach and experience report. In: Proceedings of testing: academic and industrial conference—practice and research techniques, 2006

  26. El-Attar M (2014) From misuse cases to mal-activity diagrams: bridging the gap between functional security analysis and design. Softw Syst Model 13:173–190. doi:10.1007/s10270-012-0240-5

    Article  Google Scholar 

  27. Dik SC (1997) The theory of functional grammar: the structure of the clause. Walter de Gruyter

  28. El-Attar M (2010) Developing precise misuse cases with security robustness analysis. SEKE. pp 571–576

  29. Rosenberg D, Scott K (1999) Use case driven object modeling with UML. Springer, Berlin

    Google Scholar 

  30. Mugridge R, Cunningham W (2005) Fit for developing software: framework for integrated tests. Pearson Education

  31. Selenium Browser Automation: Selenium IDE. http://docs.seleniumhq.org/. Version 2.5.0. Last Accessed Mach 2014

  32. Kundu D, Samanta D (2009) A novel approach to generate test cases from UML activity diagrams. J Object Technol 8:65–83

    Article  Google Scholar 

  33. Beizer B, Wiley J (1996) Black box testing: techniques for functional testing of software and systems. IEEE Softw 13:98

    Article  Google Scholar 

  34. Kutar M, Britton C, Wilson J (2000) Cognitive dimensions an experience report. Proceedings of the twelfth annual meeting of the Psychology of Programming Interest Group, Memoria, Cozenza Italy 2000:81–98

    Google Scholar 

  35. Wohlin C et al (2000) Experimentation in software engineering—an introduction. Kluwer, Dordrecht

    Book  MATH  Google Scholar 

  36. El-Attar M (2012) Towards developing consistent misuse case models. J Syst Softw 85:323–339

    Article  Google Scholar 

Download references

Acknowledgments

The authors would like to acknowledge the support provided by the Deanship of Scientific Research (DSR) at King Fahd University of Petroleum and Minerals (KFUPM) for funding this work through project No. IN111028.

Author information

Authors and Affiliations

  1. Information and Computer Science Department, King Fahd University of Petroleum and Minerals, P.O. Box 5066, Dhahran, 31261, Kingdom of Saudi Arabia

    Mohamed El-Attar & Hezam Akram Abdul-Ghani

Authors
  1. Mohamed El-Attar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hezam Akram Abdul-Ghani
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohamed El-Attar.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

El-Attar, M., Abdul-Ghani, H.A. Using security robustness analysis for early-stage validation of functional security requirements. Requirements Eng 21, 1–27 (2016). https://doi.org/10.1007/s00766-014-0208-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-014-0208-9

Keywords

Search

Navigation