Deriving security requirements from crosscutting threat descriptions

Haley, Charles B.; Laney, Robin C. and Nuseibeh, Bashar (2004). Deriving security requirements from crosscutting threat descriptions. In: Proceedings of the 3rd international conference on aspect-oriented software development, ACM Press, New York, USA, pp. 112–121.

DOI: https://doi.org/10.1145/976270.976285

URL: http://portal.acm.org/citation.cfm?doid=976270.976...

Abstract

It is generally accepted that early determination of the stakeholder requirements assists in the development of systems that better meet the needs of those stakeholders. General security requirements frustrate this goal because it is difficult to determine how they affect the functional requirements of the system.
This paper illustrates how representing threats as crosscutting concerns aids in determining the effect of security requirements on the functional requirements. Assets (objects that have value in a system) are first enumerated, and then threats on these assets are listed. The points where assets and functional requirements join are examined to expose vulnerabilities to the threats. Security requirements, represented as constraints, are added to the functional requirements to reduce the scope of the vulnerabilities. These requirements are used during the analysis and specification process, thereby incorporating security concerns into the functional requirements of the system.

Viewing alternatives

Metrics

Item Actions

Export

You can export this page using these formats Digital Object Identifier - DOI

About

• Item ORO ID
• 2491
• Item Type
• Conference or Workshop Item
• ISBN
• 1-58113-842-3, 978-1-58113-842-9
• Academic Unit or School
• Faculty of Science, Technology, Engineering and Mathematics (STEM) > Computing and Communications
  Faculty of Science, Technology, Engineering and Mathematics (STEM)
• Research Group
• Centre for Research in Computing (CRC)
• Depositing User
• Charles Haley