Affiliation:
1. Department of Electrical Engineering and Computer Science, University of Kansas, Lawrence, KS, USA
2. Automotive OEM, Garmin International, Olathe, KS, USA
Abstract
While software security has become an expectation, stakeholders often have difficulty expressing such expectations. Elaborate (and expensive) frameworks to identify, analyze, validate and incorporate security requirements for large software systems (and organizations) have been proposed, however, small organizations working within short development lifecycles and minimal resources cannot justify such frameworks and often need a light and practical approach to security requirements engineering that can be easily integrated into their existing development processes. This work presents an approach for eliciting, analyzing, prioritizing and developing security requirements which can be integrated into existing software development lifecycles for small organizations. The approach is based on identifying candidate security goals using part of speech (POS) tagging, categorizing security goals based on canonical security definitions, and understanding the stakeholder goals to develop preliminary security requirements and to prioritize them. It uses a case study to validate the feasibility and effectiveness of the proposed approach.
Reference15 articles.
1. ASQ. (11/21/13). Failure Mode Effects Analysis (FMEA). Available: http://asq.org/learn-about-quality/process-analysis-tools/overview/fmea.htmlhttp://asq.org/learn-about-quality/process-analysis-tools/overview/fmea.html
2. Agile Requirements Engineering Practices: An Empirical Study
3. The Usage-Centric Security Requirements Engineering (USeR) Method
4. Ingoldsby, T. R. (2009). Attack tree-based threat risk analysis. Retrieved from http://www.amenaza.com/downloads/docs/AttackTreeThreatRiskAnalysis.pdfhttp://www.amenaza.com/downloads/docs/AttackTreeThreatRiskAnalysis.pdf
Cited by
4 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献