Abstract

Security Requirements prioritization is one of the important Processes in the Software engineering, which aims at identifying and prioritizing the most crucial security requirements for the software project. In order to systematically perform this activity, many approaches have been introduced so far. Despite of the functionalities offered, these techniques have got certain pitfalls imbibed in them such as inefficient and inappropriate requirement gathering prioritization and hike in the specified project budget that leads to degradation in the software quality and security. So there is an imperative need for the efficient solution to overcome them. Thus In this paper, we have proposed a new methodology to prioritize the software security requirements generation process. This methodology improves the security in software applications of the business environment by gathering the properly processed requirements, identifying the vulnerabilities and their corresponding threats. Thus, it leads to the reduction in the estimated budget of the software application along with the security implication.

References

• Alexander IF, “Modeling the interplay of conflicting goals with use and misuse cases”. In: Proceedings of the 8th international workshop on requirements engineering: foundation for software quality (REFSQ’02), Essen, Germany, 2002.
• Alexander IF, “Misuse cases, use cases with hostile intent”. IEEE Software, 2003, pp. 58– 66.
• Common criteria for information technology security evaluation. Technical report CCIMB 99–031, Common Criteria Implementation Board, 1999.
• John Mc Dermott, Chris Fox, “Using abuse case models for security requirements analysis.” Department of Computer Science, James Madison University, 1999.
• KARLSSON, J. and RYAN, K. “A Cost- Value Approach for Prioritizing Requirements”, IEEE Software 14 (5), pp. 67–74, 1997.
• Robert J. Ellison, "Attack Trees”, Software Engineering Institute, Carnegie Mellon University, 2005.
• Donald G. Firesmith, “Engineering Security Requirements”, Journal of object technology, 2003, vol 2, no.1, pp.53-68.
• KARLSSON, L. and REGNELL, B. “Comparing Ordinal and Ratio Scale Data in Requirements Prioritisation”, Workshop on Comparative Evaluation in Requirements Engineering, 2005.
• Muhammad Umair Ahmed Khan and Mohammad Zulkernine, “Quantifying Security in Secure Software Development Phases”, Annual IEEE International Computer Software and Applications ConferenceIEEE, 2008.
• GILB, K. “Evo - Evolutionary Project Management & Product Development”. Book, 2006.
• Johnson, J. "Chaos: The Dollar Drain of IT Project Failures," Application Development Trends, January 1995, pp. 41-47.
• Lubars M., Potts C., Richer C., “A review of the state of the practice in requirements modeling”, Proc. IEEE Symp. Requirements Engineering, San diego 1993
• OWASP,https://www.owasp.org/index.php/Threat_Risk_Modeling#OCTAVE.
• Karen Mc Graw, Karan Harbison, “User Centered Requirements, The scenario based”, 1997.
• VILHELM VERENDEL,” Some Problems in Quantified Security”, CHALMERS UNIVERSITY OF TECHNOLOGY, Göteborg, Sweden 2010.
• EBIOS-Expression of need and identification of security objectives, DCSSI, France, February, 2004.
• Nessus. Configuring Nessus to perform local security checks on Unix hosts. http://nessus.org/documentation /index. php, Last Accessed 30-01-2008.
• STAT Scanner. http://www.lumension.com, Last Accessed 30-01-2008.
• F. Guo, Y. Yu, and T. Chiueh, “Automated and Safe Vulnerability Assessment”, In Proc. of the 21st Annual Computer Security Applications Conference, Tucson, AZ, USA, 2005, pp. 150-159.
• Clearpoint. http://www.clearpointmetrics.com Last Accessed 30-01-2008.
• Sindre G, Opdahl AL, “Eliciting security requirements by misuse cases”. In proceeding 37th Conference Techniques of Object-Oriented Languages and Systems, TOOLS Pacific 2000, pp 120-131.
• Sindre G, Opdahl AL, “Eliciting security requirements with misuse cases”. Requirements Engineering 10, Springer-Verlag London Ltd, January 2005, pp. 34-44.
• The Standish group, Chaos. Standish Group Internal Report,1995,http://www/standishgroup.com/chaos.html. 24] M. Ware, J. Bowles, C. Eastman, “Using the common criteria to Elicit security Requirements with use cases”, 2006 IEEE Computer Society.
• Agarwal A, Gupta D, “Security Requirement Elicitation Using View Points for online System”. 2008 IEEE Computer Society.
• CERT/Internet security vulnerabilities. Available Online: http://www.cert.org.
• N. Mayer, P. Heymans, R. Matulevi?ius “Design of a Modelling Language for Information System Security Risk Management”, In Proceedings of the First International Conference RCIS – 2007.
• Alberts, Christopher and Dorofee, Audrey. OCTAVE Method Implementation Guide v2.0. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2001. http://www.cert.org/octave.
• a)Paolo Giorgini, G.Manson,Haralambos Mouratidis. I.Philip, “A Natural Extension of Tropos Methodolog y for Modelling Security”. In the workshop on Agent -oriented methodologies, at OOPSLA 2002. b)Paolo Giorgini, G.Manson, Haralambos Mouratidis. I.Philip, “Modelling Secure Multi agent System”. AAMAS- 2003.
• A.van Lamsweerde, ”Elaborating security requirements by construction of intentional anti-models”, Proceedings of the 26th International Conference on software engineering (ICSE’04), IEEE Computer Society, Washington DC USA, 2004, pp. 148-157.
• Tom Olzak” A Practical Approach to Threat Modeling”, March 2006.
• Alberts, Christopher and Dorofee, Audrey. “OCTAVE Method Implementation Guide” v2.0. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2001. http://www.cert.org/octave.
• Yngve Espelid” Practices in Software Security”, University of Bergen, Norway,2008.