Abstract
Software Engineering has established techniques, methods and technology over two decades. However, due to the lack of understanding of software security vulnerabilities, we have not been so successful in applying software engineering principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security can not be just added after a system has been built and delivered to customers as seen in today’s software applications. This keynote paper provides concise methods, techniques, and best practice requirements guidelines on software security and also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
McGraw, G.: Software Security: Building Security In. Addison Wesley, USA (2006)
Ashford, W.: (2009). http://www.computerweekly.com/Articles/2009/07/14/236875/on-demand-service-aims-to-cut-cost-of-fixing-software-security.htm
Allen, J.H., et al.: Software Security Engineering: A Guide for Project Managers. Addison Wesley, Boston (2008)
Jacobson, I.: Object Oriented Software Engineering: Use Case Driven Approach. Addison Wesley, Boston (1992)
Kotonya, G., Sommerville, I.: Requirements Engineering: Processes and Techniques. Wiley, New York (1998)
van Lamsweerde, A.: Requirements Engineering: From system goals to UML Models to Software Specifications. Wiley, London (2009)
Sommerville, I., Sawyer, P.: Requirements Engineering: A Good Practice Guide. Wiley, New York (1998)
Firesmith, D.: Engineering Safety- and Security-Related Requirements ICCBSS Tutorial. SEI, Carnegie Mellon University, 27 February 2007
Firesmith, D.: Engineering security requirements. J. Object Technol. 2(1), 53–68 (2003)
CERT-SEI: www.cert.org
CERT-UK: https://www.cert.gov.uk/
BSI: Attack patterns articles (2013). https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns
Schneier, B.: Attack trees: modelling security threats. Dr Dobbs J. (1999). http://www.schneier.com/paper-attacktrees-ddj-ft.html
Schneier, B.: Secrets and Lies: Digital Security in a Networked World. Wiley, New York (2000)
Ellison, R.J., Moore, A.P.: Trustworthy refinement through intrusion-aware design (CMU/SEI-2003-TR-002, ADA414865). Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2003)
Howard, M., LeBlanc, D.C.: Writing Secure Code, 2nd edn. Microsoft Press, Redmond (2002)
Mead, N.R., et al.: Incorporating security quality requirements engineering (SQUARE) into standard life-cycle models. SEI Technical Note CMU/SEI-2008-TN-006 (2008). http://www.sei.cmu.edu
Caralli, R.A., et al.: Introducing OCTAVE allegro: improving the information security risk assessment process. Technical Report, CMU/SEI-2007-TR-012 (2007)
Alberts, C., Dorofee, A.: Managing Information Security Risks: The OCTAVESM Approach. Addison Wesley, Boston (2002)
Woody, C., Alberts, C.: Considering operational security risk during system development. IEEE Secur. Priv. 5, 30–43 (2007)
CLASP: OWASP CLASP, version 1.2 (2006). http://www.lulu.com/items/volume_62/1401000/1401307/3/print/OWASP_CLASP_v1.2_for_print_LULU.pdf
S-SDLC: Introducing Secure Software development Life Cycle (S-SDLC). Infosec Institute http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/
Ramachandran, M.: Software Security Engineering: Design and Applications. Nova Science Publishers, New York (2012). ISBN 978-1-61470-128-6. https://www.novapublishers.com/catalog/product_info.php?products_id=26331
Chen, J.A.: Security engineering for software (SES), CS996-CISM (2004). isis.poly.edu/courses/cs996-management/Lectures/SES.pdf
Belapurkar, A., et al.: Distributed System Security: Issues, Processes and Solutions. Wiley, New York (2009)
Ramachandran, M., Chang, V., Li, C.-S.: The improved cloud computing adoption framework to deliver secure services. In: Emerging Software as a Service and Analytics - ESaaSA 2015 in Conjunction with 5th International Conference on Cloud Computing and Services Science - CLOSER 2015 (2015). http://closer.scitevents.org/ESaaSA.aspx
Ramachandran, M.: Enterprise security framework for cloud data security. In: Chang, V. (ed.) Delivery and Adoption of Cloud Computing Services in Contemporary Organizations. IGI Global, Hershey (2014)
Graham, D.: Building security (2006). https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/requirements/548-BSI.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Ramachandran, M. (2015). Software Security Requirements Engineering: State of the Art. In: Jahankhani, H., Carlile, A., Akhgar, B., Taal, A., Hessami, A., Hosseinian-Far, A. (eds) Global Security, Safety and Sustainability: Tomorrow's Challenges of Cyber Security. ICGS3 2015. Communications in Computer and Information Science, vol 534. Springer, Cham. https://doi.org/10.1007/978-3-319-23276-8_28
Download citation
DOI: https://doi.org/10.1007/978-3-319-23276-8_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23275-1
Online ISBN: 978-3-319-23276-8
eBook Packages: Computer ScienceComputer Science (R0)