Modelling Security Requirements for Software Development with Common Criteria

  • Naseer AmaraEmail author
  • Zhiqui Huang
  • Awais Ali
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11611)


Designing software needs to address the issues of adaptation and evaluation in terms of object-oriented concepts to prevent the loss of resources in terms of system failure. System security assessments are common practice and system certification according to a standard requires submitting relevant software security information to applicable authorities. Many security-related standards exist for the development of various security-critical systems however Common Criteria (ISO/IEC 15408) is an International de-facto standard which provides assurance for specification, implementation, and evaluation of an IT security product. This research will provide aid in better communication and enhanced collaboration among different stakeholders especially between software and security engineers by proposing a model of security-related concepts in de-facto standard Unified Modeling Language (UML). In this paper, we present a Usage Scenario and a Conceptual Model by extracting key security-related concepts from Common Criteria. The effectiveness is illustrated by a case study on Facebook Meta-Model, which is built for the evaluation purpose of Common Criteria models.


Security requirement engineering Security evaluation Software modelling UML profile Common Criteria (ISO/IEC 15408) 



The first author would like to thank her parents for their generous support. This work is fully supported by Nanjing University of Aeronautics and Astronautics under China Government Scholarship.


  1. 1.
    Mellado, D., Fernández-Medina, E., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stand. Interfaces 29(2), 243–253 (2017)Google Scholar
  2. 2.
    Filipova, O., Vilão, R.: Software Development From A to Z. Apress, Berkeley (2018). Scholar
  3. 3.
    Tarique, M.D., Jama, A., Dhirendra, P., Mamdouh, A.: STORE: security threat oriented requirements engineering methodology. J. King Saud Univ. Comput. Inf. Sci. (2018)Google Scholar
  4. 4.
    Nancy, R., Ted, S.: Security quality requirements engineering (SQUARE) methodology. In: SESS 2005 Proceedings of the 2015 Workshop on Software Engineering for Secure Systems–Building Trustworthy Applications, pp. 1–7. ACM SIGSOFT Software Engineering Notes, New York (2015). Scholar
  5. 5.
    Cyber Security Standards. Accessed 2 Mar 2018
  6. 6.
    Common Criteria. Accessed 5 Jan 2018
  7. 7.
    Hassan, H., Sherif, K.: Capturing security requirements for software systems. J. Adv. Res. 5(4), 463–472 (2014)CrossRefGoogle Scholar
  8. 8.
    Yusuf, M., Mahmood, N., Mohammad, A., Sajjad, M.: A readiness model for security requirements engineering. IEEE Access 6, 28611–28631 (2018)CrossRefGoogle Scholar
  9. 9.
    Nor Shahriza, A.K., Arwa, A., Tanzila, S., Amjad, R.: The practice of secure software development in SDLC: an investigation through existing model and a case study. Secur. Commun. Netw. 9(18), 5333–5345 (2016)CrossRefGoogle Scholar
  10. 10.
    Mohammad, U., Shams, T.: TSSR: a proposed tool for secure software requirement management. Int. J. Inf. Technol. Comput. Sci. (IJITCS) 7(1), 1–11 (2014)Google Scholar
  11. 11.
    Rehman, S.U., Gruhn, V.: An effective security requirements engineering framework for cyber-physical systems. Technologies 6(3), 65 (2018)CrossRefGoogle Scholar
  12. 12.
    Mellado, D., Fernández-Medina, E., Piattini, M.: Applying a security requirements engineering process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 192–206. Springer, Heidelberg (2006). Scholar
  13. 13.
    Common Criteria: Common Criteria for Information Technology Security Evaluation - Part 1: Introduction and general model. ISO/IEC (2017)Google Scholar
  14. 14.
    Grady, B., James, R., Ivar, J.: The Unified Modeling Language User Guide, 2nd edn. Addison Wesley Professional, Boston (2005)Google Scholar
  15. 15.
    Zoughbi, G., Briand, L., Labiche, Y.: A UML profile for developing airworthiness-compliant (RTCA DO-178B) information: conceptual model and UML profile. Softw. Syst. Model. 10(3), 337–367 (2011)CrossRefGoogle Scholar
  16. 16.
    Maylawat, D.S., Darmalaksana, W., Ramdhani, M.A.: Systematic design of expert system using unified modelling language. In: IOP Conference Series: Materials Science and Engineering. IOP (2018)Google Scholar
  17. 17.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.College of Computer Science and TechnologyNanjing University of Aeronautics and AstronauticsNanjingChina
  2. 2.Department of Computer ScienceBahria UniversityLahorePakistan

Personalised recommendations