Towards Writing Secure Software Requirements

C. Busby-Earle and E.K. Mugisa (Jamaica)


Requirements engineering, requirements, softwaresecurity, security concern, derived requirements


The role of the requirements engineer (RE) is usually that of a technical generalist and therefore expertise in disciplines other than requirements engineering such as software security, is not expected. However, many of the methods and techniques used for the elicitation and development of software security requirements are heavily reliant on security expertise, are threat based and subjective. We present the first elements in the development of a tool to be used by REs to write secure software requirements. We created a prototype whose purpose is to identify potential security concerns based on an analysis of derived requirements using a format we developed. It illustrates how our format was used to identify extant security concerns in an application, solely from its requirements document. In so doing we also demonstrate that our identification process is amenable to automation.

Important Links:

Go Back