Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
2010 CRC PhD Student Conference

            A Release Planning Model to Handle Security
2010 CRC PhD Student Conference

to compromise some quality requirements in general and security requirements in particu...
2010 CRC PhD Student Conference

[1] Mc-Graw, G “Software Security”, IEEE Computer Society (Privacy and Secu...
2010 CRC PhD Student Conference

[15] Svahnberg, M., Gorschek, Feldt, R., Torkar, R., Saleem, B. S., and Shafique, U. M....
Upcoming SlideShare
Loading in …5

Bin saleem


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Bin saleem

  1. 1. 2010 CRC PhD Student Conference A Release Planning Model to Handle Security Requirements Saad Bin Saleem Center of Research in Computing, Open University Basic information Supervisors: Dr. Charles Haley Dr. Yijun Yu Professor Bashar Nuseibeh Professor Anne De Roeck Department: Computing Status: Full-time Research Student Probation Viva: Probably in November, 2010 Starting Date: Joined OU at 1st February 2010 Background Nowadays usage of computer technology is growing rapidly and almost everybody in the world is depending on computer systems [1]. More and more people and organizations are using computer systems to process, store and manage their highly sensitive data [2]. Any loss, theft and alteration of this data from computer systems can cause a serious incident, which may consequently cause to human disasters. Therefore, proper security of computer systems is very important to avoid any kind of unlikely events. Software is an important component of any computer system and a software security failure can cause malfunction of overall system [1]. It is reported by many scientists and engineers that software security related problems are increasing over the years and secure software development is still a challenging area for software community [3, 4]. For the development of secure software, an early inclusion of security concerns in the Software Development Life Cycle (SDLC) is suggested by many researchers [1, 4]. They consider that it will be very helpful to improve overall software security and can be useful to solve common security threats at design and architecture level [1, 4]. For this purpose, understanding of security requirements at early stages of SDLC is very important, as security requirements are ignored in most of the cases [5, 6]. It is also considered that software security is much related to confidentiality, availability and integrity [7]. But in some cases security is much more than that and depends on many other constraints like stakeholders, etc [6, 7]. To elicit all kinds of security requirements, a systematic procedure named Security Requirements Engineering (SRE) is suggested in the literature [5]. This process insures that elicited security requirements should be complete, consistent and easy to understand [5]. A Requirement Engineering (RE) process consists of many stages from elicitation to requirements validation and Release Planning (RP). RP is considered an important phase of RE in bespoke and market driven software development. RP is divided into two major subtypes named as strategic RP and operational RP [9, 12]. The idea of selecting an optimum set of features or requirements to deliver in a release is called strategic RP or road-mapping and it is performed at product level [9, 10]. On the other hand allocation of resources for realization of a product is called operational RP and performed to decide when a product release should be delivered [10]. In the RP process, it is a common phenomenon to select as much functional requirements or features in a release and deliver to customer or market as soon as possible [11]. In this way, there is a chance Page 122 of 125
  2. 2. 2010 CRC PhD Student Conference to compromise some quality requirements in general and security requirements in particular which consequently lead to compromise with many threats to software [15]. Some existing models of RP deals with quality requirements as technical constraints in general (hard constraints) but not specifically consider these requirements for prioritization with other functional requirements [11, 12, 9 and 15]. Therefore, identifying and fixing any security concerns during selection of requirements for a release, and before deciding time to delivery, can make software less prone to security failures. It can also help in delivering incremental security as organizations cannot hundred percent claim about the security of software product and always need to improve further. Based on the above discussion, it is observed that security requirements needs to be consider in RP for better product strategies and delivery of secure software to customer. So, there is a need to align security requirements with RP by developing a model which treats security requirements separately for strategic and operational RP to release secure software Current research in SRE is aiming to improve existing methods to elicit, analyze, specify, validate and manage security requirements [3, 13]. Like Charles et al have proposed a framework for eliciting security requirements and highlighted some further research directions in the area [3]. Similarly in RP, Ruhe et al have extended the existing approach Evolve+ with three parameters (time dependent value functions, flexible release dates, and adjusted time dependent resource capacities) for more improved planning. Saad & Usman had identified the need to improve existing models of RP according to the needs of Industry [8]. So, this study will contribute in the SRE & RP research, as purpose of this study is to develop a model which treats security requirements in conjunction with functional requirement for strategic and operational RP. The research will be conducted in three phases. In first phase, impact of security requirements on strategic and operational RP will be analyzed. In second phase of research a model will be developed based on the results of first phase. In third phase, the developed model will be validated to verify model’s effectiveness. Research Questions Following are preliminary research questions based on the purpose of study. RQ1. What existing practices are in the literature to deal security requirements for strategic and operational RP? RQ2. What are implications of security requirements on strategic and operational RP as compare to functional requirements and/or other quality requirements? RQ3. Which is an appropriate mechanism for developing a model to treat security requirements as separate requirements instead constraints for prioritization of functional requirements? RQ4. What kind of other constraints the model should consider for developing strategic and operational RP? RQ5. To what extent the proposed model is effective? Research Methodology Qualitative and quantitative research methodologies will be selected to conduct the research in two different stages [14]. The literature review and Industrial Interviews will be used as strategies of inquiry in first stage of research. For example, literature review will be used to know existing practices to deal security requirements during strategic and operational RP, to analyze existing models of strategic and operational RP and to identify any constraints that should be consider for strategic and operational RP based on security and all other kinds of requirements. Similarly, industrial interviews will be used beside with literature review to know any implications of security requirements on strategic and operational RP. In second stage of research, Industrial Interviews and experiments will be adopted as strategies of inquiry to validate the model’s functionality. Page 123 of 125
  3. 3. 2010 CRC PhD Student Conference References [1] Mc-Graw, G “Software Security”, IEEE Computer Society (Privacy and Security), 2004 [2] C. Irvine, T. Levin, J. Wilson, D. Shifflet, & B. Peireira, “An Approach to Security Requirements Engineering for a High Assurance System”, Journal of Requirements Engineering Journal, Vol. 7, No. 4, pp.192-206, 2002 [3] Haley, B. C., Laney, R., Moffett, J., Nuseibeh, B., "Security Requirements Engineering: A Framework for Representation and Analysis," IEEE Transactions on Software Engineering, vol.34, no.1, pp.133-153, 2008 [4] Hassan, R., Bohner, S., and El-Kassas, S., “Formal Derivation of Security Design Specifications From Security Requirements”, In Proceedings of the 4th Annual Workshop on Cyber Security and information intelligence Research: Developing Strategies To Meet the Cyber Security and information intelligence Challenges Ahead, pp.1-3, 2008 [5] Mellado, D., Fernández-Medina, E., & Piattini, M., “Applying a Security Requirements Engineering Process”, Computer Security–ESORICS, Springer, pp. 192-206, 2006 [6] B. H. Cheng and J. M. Atlee, "Research Directions in Requirements Engineering," Future of Software Engineering, (FOSE07), pp. 285-303, 2007 [7] A. Avizienis, J. C. Laprie, B. Randell, and C. Landwehr, "Basic Concepts and Taxonomy of Dependable and Secure Computing," IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 1, pp. 11-33, 2004 [8] Saleem, B. S., Shafique. M.U., “A Study on Strategic Release Planning Models of Academia & Industry”, Master Thesis, Blekinge Institute of Technology, Sweden, pp.1-81, 2008 [9] Al-Emran, A., Pfahl, D., “Operational Planning, Re-planning and Risk Analysis for Software Releases”, Proceedings of the 8th International Conference on Product Focused Software Process Improvement (PROFES), pp. 315-329, 2007 [10] Ruhe, G., Momoh, J., "Strategic Release Planning and Evaluation of Operational Feasibility, "In Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS), vol.9, pp. 313b, 2005 [11] Tondel, I.A.; Jaatun, M.G.; Meland, P.H., "Security Requirements for the Rest of Us: A Survey", IEEE Software, vol.25, no.1, pp.20-27, 2008 [12] Ngo-The, A., and Ruhe, G., “A Systematic Approach for Solving the Wicked Problem of Software Release Planning”, Soft Comput, vol. 12, no.1, pp. 95-108, 2007 [13] Jing-Song Cui; Da Zhang, "The Research and Application of Security Requirements Analysis Methodology of Information Systems”, 2nd International Conference on Anti-counterfeiting, Security and Identification, pp.30-36, 2008 [14] Creswell, W. J., Research Design: Qualitative, Quantitative, and Mixed Method Approaches, Second Edition, Thousand Oaks: Sage, pp.1-246, 2003 Page 124 of 125
  4. 4. 2010 CRC PhD Student Conference [15] Svahnberg, M., Gorschek, Feldt, R., Torkar, R., Saleem, B. S., and Shafique, U. M., “A systematic review on strategic release planning models,” Information and Software Technology, vol. 52, no.3, pp. 237-248, 2010 [16] Elroy, J., and Ruhe, G., “When-to-release decisions for features with time-dependent value functions,” To be Appeared in Journal of Requirements Engineering, 2010 Page 125 of 125