Using Abuse Case Models for Security Requirements Analysis
ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
Eliciting security requirements with misuse cases
Requirements Engineering
Security Patterns: Integrating Security and Systems Engineering
Security Patterns: Integrating Security and Systems Engineering
Security Requirement Engineering at a Telecom Provider
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Hi-index | 0.00 |
The specification of security requirements for systems of systems is often an activity that is forced upon non-security experts and performed under time pressure. This paper describes how we have addressed this problem by using a collection of modular safeguards, which are tailored to the application domain. These safeguards, which are specific but still fairly atomic, are combined into requirement profiles that seamlessly integrate into the overall development approach. These safeguards are grouped into 15 classes which subsume requirements that aim for low, medium and high security capabilities. Each requirement is further specified with a technical description defining actual values. To achieve a holistic coverage, we have created requirement profiles that define combinations of modular safeguards and have added complementary organizational safeguards. We will show how we have developed this approach over the years and present our practical experiences of the seamless integration into the development life cycle.