A Review on Tool Supports for Security Requirements Engineering

Syazwani Yahya Faculty of Information & Communication Technology

Universiti Teknikal Malaysia Melaka, Melaka, Malaysia,

yiend11@gmail.com

Massila Kamalrudin,Safiah Sidek Innovative Software System and Services Group(IS3),

Universiti Teknikal Malaysia Melaka, Melaka, Malaysia,

{massila,safiahsidek}@utem.edu.my

Abstract— Capturing the right security requirements is crucial when developing a security software. Poor elicited security requirements can lead to a failure in software development, thus it needs to be accurately defined. This study evaluates various security requirement engineering tools and analyses the existing gaps in security requirement engineering tools. Based on a literature search conducted manually, we report our findings from the review and analysis of different studies of security requirements engineering tool. Consequently, the gaps and motivations found from this literature study are discussed. Future directions of this study is to develop a more useful tool that can perform a better function in capturing security requirements are also discussed.

Keywords-component; tools- security requirements;security requirements elicitation; ccapturing security requirements; essential use case(euc);

I. INTRODUCTION

Security Requirements has become one of the main concerns when developing security software. This is supported by previous studies that highlighted that the fundamental failure in software project implementation is the failure to define effective security requirements. Capturing security requirements is usually considered as a complex task that requires requirements engineers to have good security experience in security requirements elicitation and analysis. It is identified that the majority of requirements engineers lack of knowledge and skills on security elements and they always face difficulties to capture and understand the security terms[1][2]. This situation usually results in the security requirements of a software system to be error-prone, inconsistency and incomplete, leading to unsecured software systems[3][4].

The aim of this paper is to present an analysis of six supporting tools for security requirement engineering cited in the literature review. This is motivated by our experience in the security engineering and business requirements analysis domains, where we found that most of the security requirements are performed from a mixture of business requirements.

II. RESEARCH BACKGROUND AND MOTIVATIONS

Security Requirements Engineering involves the process of eliciting, specifying, and analyzing the security

requirements for a system. Its main concern is with the prevention of any potential harm in the real world and this is considered as the main constraint of functional requirements[5].

A security requirement serves as a complementary to the functional requirement of a system. Security requirements are commonly based an analysis of the assets and services to be protected and the security threats from which these assets and services should be protected [6]. Therefore, it is vital to take into account the security of the requirements right from the beginning of the development process[7].

However, it is difficult to ensure a security requirement as there is a scarcity of security expertise available to the development team. Requirements engineers tend to have limited knowledge of security issues. Requirements engineers without expertise in security are at risk of over-looking security requirement, which often leads to security vulnerabilities that can later be exploited in practice [1].

Another problem is that the existing standards, such as the ISO and Common Criteria for security requirements are extensive and developers found it difficult to comprehend. There are also instances whereby project stakeholders do not have technical understanding of information system.

Additionally, in cases where security experts are available in the project, formal methods for secure systems engineering tend to be different from the typical approaches for requirements engineering. This results in difficulties for the security experts to contribute effectively with the rest of the requirements engineering effort[8] While there is a reasonably good understanding of security threats and vulnerabilities on the one hand, and on various technical security solutions on the other hand, the understanding of how to formulate good security requirements is still limited. In this respect, security issues are often neglected and this can lead to substantial security problems later.

In order to overcome the major problem as discussed above, many methods, approaches, techniques and supporting tools have been developed to ease the requirement engineers and developers in managing the security requirements. However, based on the existing studies, there is a need for improvements on the tools that support security requirements. Drawn from this context, we

2013 IEEE Conference on Open Systems (ICOS), December 2 - 4, 2013, Sarawak, Malaysia

978-1-4799-0285-9/13/$31.00 ©2013 IEEE 190

are motivated to develop a more useful tool that can better capture security requirements.

III. RELATED WORKS: REVIEW OF THE SECURITY REQUIREMENTS ENGINEERING TOOLS

The studied on supporting tools in software engineering process that have been used to capture security requirements will be discussed. Additionally, a review on the related works of the developed tools to facilitate the security requirement task is presented.

A. ST-Tool As shown in Figure I, ST-Tool provides a user interface

for the design and verification of functional and security requirements. Developed for modeling and analyzing functional and security requirements, it has been designed to support the Secure Tropos methodology. ST-Tool is a graphical CASE tool that permits users to draw Tropos and Secure Tropos models and to perform effective formal analysis of functional and security requirements. It also provides direct support for completing and checking models, expressed in Datalog specification by using different external ASP solvers, such as theASSAT, Cmodels, Smodels, and DLV system.

However, this tool does not facilitate the analysis of low level cases. It is also considered as an ongoing work. This is because the Secure Tropos methodology is still not fully developed[9] and its secured goals are meant for high level cases only[10]. However, it is has been considered to be integrated with the ECLIPSE platform.

As mentioned, this tool uses a graphical representation to model the security requirement. It is a great tool, even though it does not support the capturing and eliciting security requirements directly from textual representations. B. SecTro

SecTro[11] is an automated modeling tool that provides supports for Secure Tropos methodology for the development of secured Information System. As shown in Figure 2, SecTro allows the modeling of all the stages of the Secure Tropos methodology by including all the concepts and notations throughout the development process. It

provides a guide and supports the developers in the construction of the appropriate models of Secure Tropos methodology.

The tool allows developers to model the system during the development stage and its specific environment. It also supports the function to capture properties of various models, such as the security enhanced actor diagram and the security enhanced goal diagram together with their relevant components. The tool analyzes the security goals, security constraints, task, and resources through a security enhanced actor model.

However, as a new tool, it has one significant weakness that needs to be further enhanced: It fails to support the integration of other relevant tools. New automated processes that support further automation to secure the Tropos procedures need to be developed. At present, the development of the models is at their later stage of the development process. It has yet to become an automated tool that allows security requirements to be captured at the early phase based on the textual requirements provided. Instead, the tools only manage to gather continuous evidence to check whether security requirements have been correctly implemented.

C. STS-Tools STS-Tools support the modeling and analysis of STS-ml

(a security requirements modeling language for Socio-Technical Systems (STSs) that elicits security’s needs). STS-Tool allows designers to model a STS at a high-level of abstraction, while expressing security needs based on the interactions between the actors in the STS. The security requirements developed from this tool takes into consideration the social commitments, hence it deals with the contractual validity, once the modeling is completed[12]

Some of features of STS-Tool provide a consistency checking: The tool helps to create diagrams that follow the semantics of the modeling language, thus improves the consistency and validation. It also provides the function to generate requirements documents that allow designers to export models and automatically generate a security requirements document.

KPT MYBRAIN 15 & ERGS/2013/FTMK/ICT01/UTEM/E00026

Figure 2 : Example of SecTro Tools workspace[11]

Figure 1: Example of ST-Tool Interfaces[9]

2013 IEEE Conference on Open Systems (ICOS), December 2 - 4, 2013, Sarawak, Malaysia

191

Although STS-Tool can be considered as an adequate tool, it is still immature and needs further improvements. One of the limitations identified is the need to consider the issues of inconsistencies in requirements development. This is because there are plans to have additional tool functionalities in future. The plans are to embed automated reasoning capabilities and to implement a plug-in management system.

At present, although this tool provides supports for export models, it does not support for exporting the original business textual requirement that allows auto-generate function for security requirements gathering.

D. SecReq SecReq is a tool for eliciting and analyzing security

requirements [13][1]. It provides mechanisms to trace security requirements from high-level security statements, security goals, and objectives to secure a design. The main goal of SecReq is to extend security requirements engineering process by seamlessly integrating elicitation, traceability, and analysis activities. SecReq integrates three distinctive techniques: The Common Criteria and its underlying security requirements elicitation and refinement process, the HeRA tool with its security-related heuristic rules and the UMLsec approach for security analysis and design.

In SecReq Tools, the elicitation part consists of five steps that take a developer through a series of refinement steps starting from the system’s objectives and functional requirements and ending with specific security requirements at an early stage. SecReq is tailored for non-security experts and offers advice to developers when a security expert needs to be consulted. However, the ability of this tool in assisting novice users is questionable. The Common Criteria is a large standard and novice users will face difficulties to construct the missing diagrams, which is necessary if they want to exploit the full features of the UMLsec security analysis tools. It can be the most comprehensive and complex tool for them. Another limitation is that this tool at present does not have the function to support traceability from the root cause for a formal support to capture security requirement.

E. HeRa HeRa [13]Tools is the heuristic assistant tools that

support the reuse of existing experiences relevant to security. In particular, they include Bayesian classifiers that

issue an automatic warning when new requirements are found to be security-relevant. This elicitation tool assists stakeholders in specifying and analyzing requirements with security implications. HeRA can leverage an experience base. They analyze the security requirements created during the activity and subsequently compare them to the experiences encoded as heuristic critiques. If a critique fires, which requires the experiences from the organization to be reused, the experience-based tool will show a message, thus provoking a constructive breakdown. This breakdown triggers a reflection. If a critique from the tool is considered incorrect or inappropriate, individuals may choose to change the respective heuristic rule. Heuristic rules automatically check the relevance and applicability of the critiques.

By encoding heuristics, the experience is added to the experience base. However, the presence of a security expert or instructor is crucial for the successful execution of this tool. It is important to include experience from the experts. Encoding experiences or teaching individuals is still a time-consuming task for the expert.

F. SREPPLine tool SREPPLine [1] tool provides an automated support for

the security requirement engineering process for software product lines. The tool mainly supports the automation of security requirements management activities. The tool prioritizes the security requirements and generates a security requirement specification document. This tool is based on a security requirements decision model, driven by security standards along with a security variability model. SREPPLine Tool provides a guided, systematic and intuitive way on how to apply SREPPLine, along with a simple integration with the remaining requirements and the different stages of the SPL development lifecycle[15]. The tools deal with security requirements variability from the early stages of the product line development in a systematic way, in order to facilitate conformance of the products with the most relevant security standards with regard to the management of security requirements, ISO/IEC 27001 and ISO/IEC 15408 (common criteria).

However, activities that introduce new requirements, such as updates of the security feature repository are manually performed. Apart from that, these tools are considered complex and they are hardly used by novice users.

Overall, there are several works related to capturing security requirements task. Yet, most of these works are still

Figure 4: Example of Screenshot of a heuristic security warning in HeRA Tools[13]

Figure 3: Example of the STS-Tools Social View Interfaces[12]

2013 IEEE Conference on Open Systems (ICOS), December 2 - 4, 2013, Sarawak, Malaysia

192

immature and have limitations and difficulties, particularly for novice users. Security requirement is one of the non-functional requirements, which acts as constraints on functions of the system, although most of the works treated security requirement as functional requirements.

IV. DISCUSSION ( RESULTS )Requirements Engineering research has been established

for many years and requirements are the core part of any software or system development. Capturing security requirements at the early phase contributes to the success of a security software development. A crucial specification before any software development can be initiated is the requirement itself. Thus, knowledge and reasoning of security requirement need to be considered at the very beginning and the early phases of the development process.

We have conducted a review on six (6) types of tools that have been developed for security requirement engineering. These tools are the ST-Tool by Giorgini et al. [9]. A CASE tool for requirement engineering, the SecTro tool by Pavlidis and Islam [11] is another CASE Tool for Modelling Security in Requirements Engineering using Secure Tropos. Additionally, the SecReq and HeRa tools by Houmb et al. [13] are used for eliciting security requirements and this tool integrates Common Criteria, heuristics, and UMLsec for the tools. Another tool that has been reviewed is SREPPLine by Mellado et al. [1]

Based on our review and as shown in Table 1, we have found that there are various approaches or methodologies used by the security tools, such as the secure Tropos methodology, Tropos methodology, goal-oriented and model driven approaches as well as experience base.

Based on Table 1, we also found that the source of the security requirements varies based on the specific security element and the purpose of the tool. Yet, researchers all around the world are still searching for the best source to be integrated with their tools in order to develop the best fit to capture the security requirements.

From the results, the majority of the tools used semi-formal model as their representations. Many of the tools were developed for the use of elicitation and analysis phase and it has proven that this phase has been the most concern among the many researchers.

TABLE 1 : COMPARISON AND CLASSIFICATION OF SECURITY REQUIREMENT SUPPORTING TOOLS

Tool

s N

ame

App

roac

h /

Met

hodo

logy

and

Te

chni

que

Sour

ce o

f Sec

urit

y El

emen

t

Representa-tions

Purpose in Requirement Engineering

Form

al

Sem

i -Fo

rmal

Info

rmal

Elic

itat

ion

Ana

lysi

s

Spec

ifica

tion

Ver

ifica

tion

ST-T

ool

Secu

re

Trop

os

met

hodo

logy

Libr

ary

in

Secu

re

Trop

os

/ / / /

SecT

ro

Secu

re

Trop

os

met

hodo

logy

Libr

ary

in

Secu

re

Trop

os

/ / / /

STS-

Too

l

Goa

l-orie

nted

ap

proa

ch

STS-

ml

/ / / Se

cReq

UMLsec

approach

-Com

mon

C

riter

ia

- Lib

rary

in

UM

Lsec

- H

eRa

/ / / /

HeR

a

Experience-

based tools Reuse securit

y related

of existing

experiences

/ / /

SRE

PPL

ine

Model driven -Sec

urity

st

anda

rds

-Sec

urity

va

riabi

lity

mod

el

/ / /

Tota

l

3 6 - 5 5 1 1

A great number of works has been carried out on security requirements engineering, particularly involving tool that supports the security requirement engineering. From the review, most of the works used modeling approach, particularly the use case, misuse case, and UMLsec to handle security requirements. It was found that only one tool use EUC to capture the security requirement. Most of the modeling approach allow security requirement task to be solved at the implementation phase, instead of at the beginning of the development process. Thus it becomes a “solution–oriented” instead of “problem-oriented” approach.

2013 IEEE Conference on Open Systems (ICOS), December 2 - 4, 2013, Sarawak, Malaysia

193

One of the most obvious findings from this study is that the majority of the works are an automated and manual tool that provides supports for the modeling and designing of the security requirements. Almost none are generated from the original business textual requirements, hence it does not provide valuable assistance for the non-expertise requirement engineers to capture security requirement.

V. CONCLUSION AND FUTURE WORKS We have conducted a review of seven common security

requirement engineering tools to identify the gaps and problems that are still outstanding. It is found in the previous section that there are several works done using semi-formalized model, but almost none of the work captures the security requirements from the textual representations especially by using EUC. Motivated from these, we plan to explore the usage of EUC in capturing security requirements. This is because EUCs are identified in other study to be fruitful for the process of capturing and validating business requirements [15][14]. Therefore we would like to explore the usage of EUC to capture the security requirements from the business requirements. For future research, we plan to integrate MeReq [20][21][22] with our defined approach that uses EUC to capture the security requirements.

.

ACKNOWLEDGMENT The authors also would like to acknowledge Universiti

Teknikal Malaysia Melaka and the Ministry of Education Malaysia of the scholarship Mybrain15. We also would like to thank the funding of this ERGS research grant: ERGS/2013/FTMK/ICT01/UTEM/E00026 for funding this research.

REFERENCES [1] K. Schneider, E. Knauss, S. Houmb, S. Islam, and J. Jürjens,

“Enhancing security requirements engineering by organizational learning,” Requirements Engineering, vol. 17, no. 1, Nov. 2011, pp. 35–56.

[2] A. Fuchs and N. Lincke, “Supporting Security Engineering at Design Time with Adequate Tooling,” Computational Science and Engineering (CSE), IEEE 15th International Conference on. IEEE, 2012.

[3] M. Kamalrudin, J. Grundy, and J. Hosking, “Supporting Requirements Modelling in the Malay Language using Essential Use Cases,” 2012.

[4] M. Kamalrudin, J. Grundy "Generating essential user interface prototypes to validate requirements", Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering,2011,pp. 564-567

[5] P. Salini and S. Kanmani, “A Model based Security Requirements Engineering Framework applied for Online Trading System,” pp. 1195–1202, 2011.

[6] C. B. Haley, R. Laney, and J. D. Moffett, “Security Requirements Engineering: A Framework for Representation and Analysis Security Requirements Engineering: A Framework for Representation and Analysis,” 2008.

[7] P. Salini and S. Kanmani, “Survey and analysis on Security Requirements Engineering,” Computers & Electrical Engineering, Sep. 2012.

[8] G. Sindre and A. L. Opdahl, “ReqSec: Requirements for Secure Information Systems.” 2008.

[9] P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, “ST-tool: a CASE tool for security requirements engineering,” in Requirements Engineering, 2005. Proceedings. 13th IEEE International Conference on, 2005, pp. 451 – 452.

[10] B. Fabian, S. Gürses, M. Heisel, T. Santen, and H. Schmidt, “A comparison of security requirements engineering methods,” Requirements Engineering, vol. 15, no. 1, Nov. 2009,pp. 7–40.

[11] M. Pavlidis and S. Islam, “SecTro: A CASE Tool for Modelling Security in Requirements Engineering using Secure Tropos,” in CAiSE ’11: Proceedings of the CAiSE forum 2011, 2011, pp. 89–96.

[12] E. Paja, F. Dalpiaz, M. Poggianella, P. Roberti, and P. Giorgini, “STS-tool: Socio-technical Security Requirements through social commitments,” 2012 20th IEEE International Requirements Engineering Conference (RE), Sep. 2012,pp. 331–332.

[13] S. H. Houmb, S. Islam, E. Knauss, J. Jürjens, and K. Schneider, “Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec,” Requirements Engineering, vol. 15, no. 1, Nov. 2010,pp. 63–93.

[14] D. Mellado, E. Fernández-medina, and M. Piattini, “Security Requirements Engineering Process for Software Product Lines: A Case Study and Technologies SREPPLine”,2008,pp. 1–6.

[15] M. Kamalrudin, J. Hosking, and J. Grundy, “Improving requirements quality using essential use case interaction patterns,” Proceeding of the 33rd international conference on Software engineering - ICSE ’11, 2011,pp 531.

[16] M. Kamalrudin, "Automated Software Tool Support for Checking the Inconsistency of Requirements." Automated Software Engineering, 2009. ASE'09. 24th IEEE/ACM International Conference on. IEEE, 2009.

[17] M. Kamalrudin, J. Grundy, and J. Hosking, “Managing Consistency between Textual Requirements , Abstract Interactions and Essential Use Cases,” ,2010,pp. 327–336.

[18] L.L. Constantine, "Essential modeling: use cases for user interfaces," interactions, vol. 2, 1995,pp. 34-46.

[19] L. L.Constantine. and A. D. L. Lockwood, "Structure and stylein use cases for user interface design," in Object modeling and user interface design: designing interactive systems, ed: Addison-Wesley Longman Publishing Co., Inc., 2001, pp. 245-279.

[20] H. Kaindl, L. Constantine, O. Pastor, A. Sutcliffe, and D. Zowghi, "How to Combine Requirements Engineering and Interaction Design?," in 16th IEEE International Requirements Engineering, 2008. RE '08. , Barcelona,Catalunya,Spain, 2008, pp. 299-301

[21] M. Kamalrudin, J. Grundy, and J. Hosking"Tool support for essential use cases to better capture software requirements", Proceedings of the IEEE/ACM international conference on Automated software engineering,2010, pp. 255-264

[22] S.Yahya, M.Kamalrudin, S.Sidek, “The Used of Essential Use Cases (EUCs) to enhance the process of Capturing Security Requirements for Accurate Secure Software”,Manuscript submitted for Sepow (Software Engineering Postgraduate Workshop), Melaka, Malaysia, 2013.

2013 IEEE Conference on Open Systems (ICOS), December 2 - 4, 2013, Sarawak, Malaysia

194