A Systematic Method to Describe and Identify Security Threats Based on Functional Requirements

  • Roman WirtzEmail author
  • Maritta Heisel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11391)


Scenarios in which the security of software-based systems is harmed become more and more frequent. Such scenarios can lead to substantial damage, not only financially, but also in terms of loss of reputation. Hence, it is important to consider those threats to security already in the early stages of software development. However, it is non-trivial to identify all of them in a systematic manner. In particular, the knowledge about threats is not documented in a consistent manner. The Common Vulnerability Scoring System is a well known way to characterize vulnerabilities in a structured way. Our idea is to document threats in a similar way, using a template. A distinguishing feature of our approach is that we relate the threats to the envisaged functionality of the software. Our contribution is two-fold: first, we propose a general template to describe security threats that can be used in the early stages of software development. Second, we define a systematic and semi-automatic procedure to identify relevant threats for a software development project, taking the functionality of the software-to-be into account.


  1. 1.
    Open Web Application Security Project: OWASP Top 10 - The Ten Most Critical Web Application Security Risks (2017)Google Scholar
  2. 2. Common Vulnerability Scoring System v3.0: Specification DocumentGoogle Scholar
  3. 3.
    Jackson, M.: Problem Frames. Analyzing and Structuring Software Development Problems. Addison-Wesley, Boston (2001)Google Scholar
  4. 4.
    Wirtz, R., Heisel, M., Meis, R., Omerovic, A., Stølen, K.: Problem-based elicitation of security requirements - the ProCOR method. In: Proceedings of the 13th International Conference on Evaluation of Novel Approaches to Software Engineering, vol. 1, pp. 26–38. ENASE, INSTICC, SciTePress (2018)Google Scholar
  5. 5.
    Faßbender, S., Heisel, M., Meis, R.: Aspect-oriented requirements engineering with problem frames. In: ICSOFT-PT 2014 - Proceedings of the 9th International Conference on Software Paradigm Trends. SciTePress (2014)Google Scholar
  6. 6.
    ISO: ISO 31000 Risk Management - Principles and Guidelines. International Organization for Standardization (2009)Google Scholar
  7. 7.
    Wirtz, R., Heisel, M., Borchert, A., Meis, R., Omerovic, A., Stølen, K.: Risk-based elicitation of security requirements according to the ISO 27005 standard. In: Evaluation of Novel Approaches to Software Engineering 13th International Conference, ENASE 2018. LNCS, Madeira, Portugal. Springer, Heidelberg (2018, submitted for publication)Google Scholar
  8. 8.
    International Organization for Standardization: ISO 27005:2011 Information technology - Security techniques - Information security risk management. Standard (2011)Google Scholar
  9. 9.
    Common Criteria: Common Criteria for Information Technology Security Evaluation v3.1. Release 5. Standard (2017)Google Scholar
  10. 10. Common Vulnerability Scoring System v3.0: User GuideGoogle Scholar
  11. 11.
    Lin, L., Nuseibeh, B., Ince, D.C., Jackson, M., Moffett, J.D.: Analysing security threats and vulnerabilities using abuse frames (2003)Google Scholar
  12. 12.
    OPEN meter Consortium: Report on the identification and specification of functional, technical, economical and general requirements of advanced multi-metering infrastructure, including security requirements (2009)Google Scholar
  13. 13.
    Cloud Security Alliance: The treacherous 12 - cloud computing top threats in 2016Google Scholar
  14. 14.
    Uzunov, A., Fernandez, E.: An extensible pattern-based library and taxonomy of security threats for distributed systems. Comput. Stand. Interfaces 36, 734–747 (2014)CrossRefGoogle Scholar
  15. 15.
    Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)Google Scholar
  16. 16.
    BSI Germany: IT-Grundschutz-Katalog (2018)Google Scholar
  17. 17.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis. The CORAS Approach. Springer, Heidelberg (2010). Scholar
  18. 18.
    Jürjens, J.: Model-based security engineering with UMLsec. In: Serenity Day: Establishing IT Security as a Full Engineering Discipline, Brussels (2009)Google Scholar
  19. 19.
    Côté, I., Hatebur, D., Heisel, M., Schmidt, H.: UML4PF - a tool for problem-oriented requirements analysis. In: Proceedings of the International Conference on Requirements Engineering (RE). IEEE Computer Society (2011)Google Scholar
  20. 20.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.University of Duisburg-EssenDuisburgGermany

Personalised recommendations