期刊名称:Journal of Theoretical and Applied Information Technology
印刷版ISSN:1992-8645
电子版ISSN:1817-3195
出版年度:2021
卷号:99
期号:1
页码:1
出版社:Journal of Theoretical and Applied
摘要:Writing quality security requirements contributes to the success of secure software development. It has been a common practice to include security requirements in a software system after the system is defined. Thus, incorporating security requirements at a later stage of software development will increase the risks of security vulnerabilities in software development. However, the process of writing security requirements is tedious and complex. Although significant work can be found in the field of requirements elicitation, less attention has been given for writing complete security requirements. It is still a challenge and tedious process for requirements engineers (REs) to elicit and write complete security requirements that are derived from natural language. This is due to their tendency to misunderstand the real needs and the security terms used by inexperienced REs leading to incomplete security requirements. Motivated from these problems, we have developed a prototype tool, called SecureMEReq to improve the writing of complete security requirements. This tool provides four important key-features, which are (1) extraction of security requirements components from client-stakeholders; (2) validation of security requirements probability density and security requirements syntax density; (3) checking the security requirements and key-structure components; and (4) validation of completeness prioritization. To do this, we used our pattern libraries: SecLib and SRCLib to support the automation process of elicitation, especially in writing the security requirements. To evaluate our approach and tool, we have conducted completeness tests to compare the completeness of writing security requirements through the results provided by SecureMEReq and manual writing. Our evaluation results show that our prototype tool is capable to facilitate the writing of complete security requirements and useful in assisting the REs to elicit the security requirements.
