Open Access Open Access  Restricted Access Subscription or Fee Access

Evaluating Security Requirements Engineering Framework for Web Applications

P. Salini, Dr. S. Kanmani


Security engineering is a new research area in software engineering that covers the definition of processes, plans and designs for security. The researchers are working in this area and however there is a lack in security requirements treatment in this field. The security requirements is one of the non functional requirements which acts as constrains on the functions of the system. An increasing part of the communication and sharing of information in our society utilizes electronic media. Many organizations, especially distributed and Net-centric are entirely dependent on well functioning information systems. Thus IT security is becoming central to the ability to fulfill business goals, build trustworthy systems, and protect assets. In order to develop systems with adequate security features, it is essential to capture the corresponding security needs and requirements. Security requirements engineering is emerging as a branch of software engineering, spurred by the realization that security must be dealt with early during requirements phase. A number of researchers’ proposals have major limitations as they treat security in system oriented terms. In this paper we present a view on Security Requirements, Security Requirements issues, types, and the framework for Security Requirements Engineering. We also have presented about the challenges to web application security and evaluated the Security Requirements Engineering framework for web applications.


Security Engineering, Security Requirements Engineering, Security Requirements Engineering Framework, Web Applications.

Full Text:



R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems.Wiley Computer Publishing, 2001.

J. Viega and G. McGraw. Building Secure Software. Addison-Wesley,2001.

R. Crook, D. Ince, L. Lin, and B. Nuseibeh. Security Requirements Engineering: When Antirequirements Hit the Fan. In Proc. of RE’02,pages 203–205. IEEE Press, 2002.

P. T. Devanbu and S. G. Stubblebine. Software engineering for security: a roadmap.In Proc. of ICSE’00, pages 227–239, 2000.

A. van Lamsweerde, R. Darimont, E. Letier, “Managing Conflicts in Goal-Driven Requirements Engineering”, IEEE Transactions on Software Engineering, Nov. 1998, 908-926.

W. N. Robinson, “Requirements Interaction Management”,ACM Computing Surveys, June 2003.

C.B. Haley, R. Laney, J.D. Moffett, and B. Nuseibeh, “Security Requirements engineering: A Framework for Representation and Analysis,” IEEE Transaction on Software Eng. Vol 34, no. 1, pp.133-152, Jan/Feb 2008.

Donald Firesmith: “Engineering Security Requirements”, in Journal of Object Technology, vol. 2, no. 1, January-February 2003, pages 53-68.

N.R. Mead, E.D. Houg, and T.R. Stehney, Security Quality Requirements Engineering (Square) Methodology,tech. report CMU/SEI-2005-TR-009,Software Eng. Inst., Carnegie Mellon Univ., 2005.

G. Boström et al., “Extending XP Practices to Support Security Requirements Engineering,” Proc. 2006 Int’l Workshop Software Eng.for Secure Systems (SESS), ACM Press, 2006, pp. 11–18.

Graham, Dan. “Introduction to the CLASP Process.” Build Security In,2006. 548.html.

P. Torr, “Demystifying the Threat Modeling Process,” IEEE Security & Privacy, vol. 3, no. 5, 2005, pp.66–70.

S. Lipner and M. Howard, “The Trustworthy Computing Security Development Lifecycle,” Microsoft Corp.,2005;

J.D. Meier, “Web Application Security Engineering,” IEEE Security & Privacy, vol. 4, no. 4, 2006, pp.16–24.

A. Apvrille and M. Pourzandi, “Secure Software Development by Example,” IEEE Security & Privacy, vol. 3, no. 4, 2005, pp. 10–17.

Mellado, D.; Fernandez-Medina, E.; & Piattini, M. “A Common Criteria Based Security Requirements Engineering Process for the Development of Secure Information Systems.” Computer Standards & Interfaces 29, 2 (February 2007): 244-253.

E.B. Fernandez, “A Methodology for Secure Software Design,” paper presented at the Int’l Symp. Web Services and Applications (ISWS),2004; www.cse.fau. edu/~ed/EFLVSecSysDes1.pdf.

G. Peterson, “Collaboration in a Secure Development Process Part 1,”Information Security Bull., June 2004,pp. 165–172.

K.R. van Wyk and G. McGraw, “Bridging the Gap between Software Development and Information Security,” IEEE Security & Privacy, vol. 3,no. 5, 2005, pp. 75–79.

Moffett, J.D.; Haley, C.B.; & Nuseibeh, B. Core Security Requirements Artefacts (Technical Report 2004/23, ISSN 1744-1986). Open University, 2004.

Haley, C.; Laney, R.; Moffett, J.; & Nuseibeh, B. “Arguing Satisfaction of Security Requirements,” 16-43. Integrating Security and Software Engineering. Edited by H. Mouratidis and P.Giorgini. Hershey, PA: Idea Group Publishing, 2007 (ISBN 1-599-04147-2).

Rosado, David G.; Gutiérrez, Carlos; Fernández-Medina, Eduardo; Piattini, Mario. “Security Patterns and Requirements for Internet-Based Applications.” Internet Research 16, 5 (2006): 519-536.

Weiss, M. “Modelling Security Patterns Using NFR Analysis,” 127-141.Integrating Security and Software Engineering. Edited by H. Mouratidis and P. Giorgini. Hershey, PA: Idea Group Publishing, 2007 (ISBN 1-599-04147-2).

Giorgini, P.; Mouratidis, H.; & Zannone, N. “Modelling Security and Trust with Secure Tropos,” 160-189. Integrating Security and Software Engineering. Edited by H. Mouratidis and P. Giorgini. Hershey, PA: Idea Group Publishing, 2007 (ISBN 1-599-04147-2).

Heitmeyer, C. “Software Cost Reduction.” Encyclopedia of Software Engineering, 2nd ed. Edited by John J. Marciniak. New York, NY: John Wiley and Sons, 2002 (ISBN 978-0-471 37737-6).

The Common Criteria Evaluation and Validation Scheme. (2007).

Inger Anne Tøndel, Martin Gilje Jaatun, and Per Håkon Meland, “Security Requirements for the Rest of Us:A Survey ” IEEE Software Published by the IEEE Computer Society, 0740 - 7459 / 08 / 2008 IEEE

J.D. Moffett, C.B. Haley, and B. Nuseibeh, “Core Security Requirements Artefacts,” Technical Report 2004/23, Dept. of Computing, The Open Univ., June 2004.

C.B. Haley, J.D. Moffett, R. Laney, and B. Nuseibeh, “A Framework for Security Requirements Engineering,” Proc. 2006 Software Eng. for Secure Systems Workshop with the 28th Int’l Conf. Software Eng., pp.35-41, 2006.

C.B. Haley, R.C. Laney, and B. Nuseibeh, “Deriving Security Requirements from Crosscutting Threat Descriptions,” Proc. Third Int’l Conf. Aspect-Oriented Software Development, pp. 112-121, 2004.

J.D. Moffett, J.G. Hall, A. Coombes, and J.A. McDermid, “A Model for a Causal Logic for Requirements Engineering,” Requirements Eng., vol. 1,no. 1, pp. 27-46, Mar. 1996.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.