A Methodology for Security Requirement Engineering

I’ve put together some slides on how we used to do security requirement engineering at Mbition. The approach builds on threat modeling as the main activity for eliciting security requirements [1,2,3], uses EARS [4] for specification, and relies on a modified Volere [5] template for documentation. A key idea is to write reusable security requirements [6,7], gradually building up a security requirements repository that can support future projects.

[1] McDermott, John, and Chris Fox. “Using abuse case models for security requirements analysis.” Proceedings 15th Annual Computer Security Applications Conference (ACSAC’99). IEEE, 1999.

[2] Sindre, Guttorm, and Andreas L. Opdahl. “Capturing security requirements through misuse cases.” NIK 2001, Norsk Informatikkonferanse 2001, http://www.nik.no/2001 74 (2001).

[3] Myagmar, Suvda, Adam J. Lee, and William Yurcik. “Threat modeling as a basis for security requirements.” Symposium on requirements engineering for information security (SREIS). Vol. 2005. 2005.

[4] Mavin, Alistair, et al. “Easy approach to requirements syntax (EARS).” 2009 17th IEEE International Requirements Engineering Conference. IEEE, 2009.

[5] Volere requirements specification template. Volere Requirements. (n.d.). Retrieved April 4, 2022, from https://www.volere.org/templates/volere-requirements-specification-template/

[6] Toval, Ambrosio, et al. “Requirements reuse for improving information systems security: a practitioner’s approach.” Requirements Engineering 6.4 (2002): 205-219.

[7] Sindre, Guttorm, Donald G. Firesmith, and Andreas L. Opdahl. “A reuse-based approach to determining security requirements.” REFSQ. Vol. 3. 2003.