Safiah Sidek

Capturing security requirements using essential use cases (EUCs)

Capturing security requirements is a complex process, but it is crucial to the success of a secure software product. Hence, requirements engineers need to have security knowledge when eliciting and analyzing the security requirements from business requirements. However, the majority of requirements engineers lack such knowledge and skills, and they face difficulties to capture and understand many security terms and issues. This results in capturing inaccurate, inconsistent and incomplete security requirements that in turn may lead to insecure software systems. In this paper, we describe a new approach of capturing security requirements using an extended Essential Use Cases (EUCs) model. This approach enhances the process of capturing and analyzing security requirements to produce accurate and complete requirements. We have evaluated our prototype tool using usability testing and assessment of the quality of our generated EUC security patterns by security engineering experts.

A review on tool supports for security requirements engineering

Capturing the right security requirements is crucial when developing a security software. Poor elicited security requirements can lead to a failure in software development, thus it needs to be accurately defined. This study evaluates various security requirement engineering tools and analyses the existing gaps in security requirement engineering tools. Based on a literature search conducted manually, we report our findings from the review and analysis of different studies of security requirements engineering tool. Consequently, the gaps and motivations found from this literature study are discussed. Future directions of this study is to develop a more useful tool that can perform a better function in capturing security requirements are also discussed.

Automated Support to Capture and Validate Security Requirements for Mobile Apps

Mobile application usage has become widespread and significant as it allows interactions between people and services anywhere and anytime. However, issues related to security have become a major concern among mobile users as insecure applications may lead to security vulnerabilities that make them easily compromised by hackers. Thus, it is important for mobile application developers to validate security requirements of mobile apps at the earliest stage to prevent potential security problems. In this paper, we describe our automated approach and tool, called MobiMEReq that helps to capture and validate the security attributes requirements of mobile apps. We employed the concept of Test Driven Development (TDD) with a model-based testing strategy using Essential Use Cases (EUCs) and Essential User Interface (EUI) models. We also conducted an evaluation to compare the performance and correctness of our tool in various application domains. The results of the study showed that our tool is able to help requirements engineers to easily capture and validate security-related requirements of mobile applications.

TestMEReq: generating abstract tests for requirements validation

This paper introduces TestMEReq, an automated tool for early validation of requirements. TestMEReq supports requirements engineers (REs) in the validation of the correctness, completeness and consistency of elicited requirements with minimum effort and time through generated abstract tests components: test requirements and test cases, and a mock-up prototype of the user interface (UI). Abstract tests are derived from abstract models called Essential Use Cases (EUCs) and the Essential User Interface (EUI). Our evaluation results show that TestMEReq is useful in the requirements validation process: it reduces the effort and time spent to ensure good quality requirements.

MEReq: A tool to capture and validate multi-lingual requirements

Within the era of globalisation that acknowledges differences and diversity, multiple languages have been increasingly used to capture requirements. This practice is particularly prevalent in Malaysia, where both Malay and English languages are used as a media of communication. Nevertheless, capturing requirements in multiple languages is often error-prone due to natural language imprecision being compounded by language differences. Considering that two languages may be used to describe requirements for the same system in different ways, we were motivated to develop MEReq, a tool which uses Essential Use Case (EUC) models to support capturing and checking the inconsistency occurring in English and Malay multi-lingual requirements. MEReq is tablet compatible to minimise time for on-site capture and validation of multi-lingual requirements. This paper describes the MEReq approach and demonstrates its use to capture and validate English and Malay requirements.

An automated collaborative requirements engineering tool for better validation of requirements

This demo introduces an automated collaborative requirements engineering tool, called TestMEReq, which is used to promote effective communication and collaboration between client-stakeholders and requirements engineers for better requirements validation. Our tool is augmented with real time communication and collaboration support to allow multiple stakeholders to collaboratively validate the same set of requirements. We have conducted a user study focusing on validating requirements using TestMEReq with a few groups of requirements engineers and client stakeholders. The study shows that our automated tool support is able to assist requirements engineers to effectively communicate with client-stakeholders to better validate the requirements virtually in real time. (Demo video: https://www.youtube.com/watch?v=7sWLOx-N4Jo).

A New HMCR Parameter of Harmony Search for Better Exploration

As a meta-heuristic algorithm, Harmony Search (HS) algorithm is a population-based meta-heuristics approach that is superior in solving diversified large scale optimization problems. Several studies have pointed that Harmony Search (HS) is an efficient and flexible tool to resolve optimization problems in diversed areas of construction, engineering, robotics, telecommunication, health and energy. In this respect, the three main operators in HS, namely the Harmony Memory Consideration Rate (HMCR), Pitch Adjustment Rate (PAR) and Bandwidth (BW) play a vital role in balancing the local exploitation and the global exploration. These parameters influence the overall performance of HS algorithm, and therefore it is very crucial to fine turn them. However, when performing a local search, the harmony search algorithm can be easily trapped in the local optima. Therefore, there is a need to improve the fine tuning of the parameters. This research focuses on the HMCR parameter adjustment strategy using step function with combined Gaussian distribution function to enhance the global optimality of HS. The result of the study showed a better global optimum in comparison to the standard HS.

Trust Requirements Model for Developing Acceptable Autonomous Car

There has been an increase interest among automakers to develop autonomous cars. However, the level of acceptance of the autonomous cars among users is limited. Considering that trust is one of the main determinants for users to accept the autonomous cars. Considering that user’s needs and expectation are highly important when developing the autonomous car, a trust requirements model that consists of attributes and related properties based on the perspectives of the users has been developed. The model was also developed based on the proposition that automakers need to consider trust requirements at the early stage of developing the autonomous car. Drawn from a systematic analysis of the literature review, seven attributes, namely safety, security, privacy, performance, user’s experience, reliability and economic value together with their related properties were identified. It was also found that there is a one-to-many relationship between the attribute and its properties. This model, named as trust requirements autonomous car (TReAC) model can be used as guideline for automakers to develop acceptable autonomous cars. It is anticipated that this model can be adaptable to other domain. Future work should be dedicated to validating and testing this model.

A Template for Writing Security Requirements

Quality security requirements contribute to the success of secure software development. However, the process of eliciting and writing security requirements is tedious and complex, It requires Requirements Engineers (RE) to have security experience in the process of eliciting consistent security requirements from the clients-stakeholders. Considering the requirements are derived from natural language, RE faced problems in eliciting and writing security requirements as they have the tendency to misunderstand the real needs and the security terms used. Motivated from these problems, this paper proposed a security requirements library and template to assist RE in writing security requirements. The library was built based on compilation of security attributes derived from syntax analysis and keywords matching. The realization of the library and writing template was demonstrated using two sets of scenario taken from real projects. The usage examples show that the template is able to help the RE to write security requirements by providing the relevant and suitable sentence structure as guidance.

A Security Requirements Library for the Development of Internet of Things (IoT) Applications

In today’s era, there is a rapid increase in the demand for IoT applications. Thus, securing the information content delivered among various entities involved in the IoT applications development has become an important issue. It is also identified that there is a high cost of implementing a secured IoT application as it requires efforts, skills and knowledge to understand the security concern, especially when developers and requirement engineers do not have any formal training in software engineering and eliciting security requirements. In addition, requirements engineers who are unfamiliar with the IoT applications confront problems to elicit accurate security requirements to avoid misinterpretations. Motivated by these issues, this paper presents the development of a new IoT security requirements library of security requirement for the development of IoT applications. Using an industry scenario, the utilities of the library demonstrated the elicitation of security requirements for each of the IoT attributes of specific business applications domains.