Inlämning av Examensarbete / Submission of Thesis

Gibrail Islam; Murtaza Ali Qureshi MSE-2012-95, pp. 97. COM/School of Computing, 2012.

The work

Författare / Author: Gibrail Islam, Murtaza Ali Qureshi,
Titel / Title: A Framework for Security Requirements Elicitation
Abstrakt Abstract:

Context: Security considerations are typically incorporated in the later stages of development as an afterthought. Security in software system is put under the category of non-functional requirements by the researchers. Understanding the security needs of a system requires considerable knowledge of assets, data security, integrity, confidentiality and availability of services. Counter measures against software attacks are also a security need of a software system. To incorporate security in the earliest stages, i.e. requirement gathering, helps building secure software systems from the start. For that purpose researchers have proposed different requirements elicitation techniques. These techniques are categorized into formal and informal techniques on the basis of finiteness and clarity in activities of the techniques.
Objectives: Limitations of formal methods and lack of systematic approaches in informal elicitation techniques make it difficult to rely on a single technique for security requirements elicitation. Therefore we decided to utilize the strengths of formal and informal technique to mitigate their weaknesses by combining widely used formal and informal security requirements elicitation techniques. The basic idea of our research was to integrate an informal technique with a formal technique and propose a flexible framework with some level of formality in the steps.
Methods: We conducted a systematic literature review to see “which are the widely used security requirement elicitation techniques?” as a pre-study for our thesis? We searched online databases i.e. ISI, IEEE Xplore, ACM, Springer, Inspec and compendeX. We also conducted a literature review for different frameworks that are used in industry, for security requirement elicitation. We conducted an experiment after proposing a security requirements elicitation Framework and compared the result from the Framework with that of CLASP and Misuse cases.
Results:Two types of analysis were conducted on results from the experiment: Vulnerability analysis and Requirements analysis with respect to a security baseline. Vulnerability analysis shows that the proposed framework mitigates more vulnerabilities than CLASP and Misuse Cases. Requirements analysis with respect to the security baseline shows that the proposed framework, unlike CLASP and Misuse cases, covers all the security baseline features.
Conclusions:The framework we have proposed by combining CLASP, Misuse cases and Secure TROPOS contains the strengths of three security requirements elicitation techniques. To make the proposed framework even more effective, we also included the security requirements categorization by Bogale and Ahmed [11]. The framework is flexible and contains fifteen steps to elicit security requirements. In addition it also allows iterations to improve security in a system

Ämnesord / Subject: Datavetenskap - Computer Science\Software Engineering

Nyckelord / Keywords: Security Requirement Elicitation Framework, Security Requirement Engineering, Software Security

Publication info

Dokument id / Document id: houn-8xpk8u
Program:/ Programme Masterprogram i Software engineering 120 p/Master´s program in Software engineering 120 p
Registreringsdatum / Date of registration: 08/31/2012
Uppsatstyp / Type of thesis: Masterarbete/Master's Thesis (120 credits)


Handledare / Supervisor: JÜRGEN BÖRSTLER
Examinator / Examiner: Prof. Tony Gorschek
Organisation / Organisation: Blekinge Institute of Technology
Institution / School: COM/School of Computing

+46 455 38 50 00

Files & Access

Bifogad uppsats fil(er) / Files attached: bth2012islam.pdf (1719 kB, öppnas i nytt fönster)