This document presents a model for identifying security requirements of a system during the requirements analysis phase. The model uses use case diagrams along with security questionnaires tables. A use case diagram depicts the functional requirements and interactions between actors and the system. The proposed model adds a security questionnaires table for each use case/process in the diagram to identify related security requirements. The document implements the model on a point of sale system case study, presenting sample security questionnaires tables for the login, add product, and view product processes. The tables contain security-related questions to address during requirements. The model aims to incorporate security early in development to avoid later issues.

1. IOSR Journal of Computer Engineering (IOSR-JCE)
e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 11, Issue 6 (May. - Jun. 2013), PP 75-82
www.iosrjournals.org
www.iosrjournals.org 75 | Page
Fig.1 Secure web based application
Model for Identifying the Security of a System: A Case Study of
Point Of Sale System
Md. Alamgir Kabir Sagar1
, Md. Mijanur Rahman2
and Md. Ismail Jabiullah3
1,2
Department of Software Engineering, Daffodil International University, Dhanmondi, Dhaka, Bangladesh.
3
Professor and Head, Department of Computer Science and Engineering, Hamdard University Bangladesh,
New Town, Sonargaon, Narayangonj, Bangladesh,
Abstract: In the competitive economic market the demand of secured and reliable system is increasing day by
day. A successful system development is possible by consider equally both functional and nonfunctional
requirement. But practically nonfunctional requirements are not identifying as like functional requirement.
There are few generic requirements for a system like auditability, extensibility, maintainability, performance,
portability, reliability, security, testability, usability and etc. among them security is very vital issue for system
development. The security of web based application is vulnerable now a days. For this reason the importance of
web based application security is growing over the time. Very often the system fails because of without
incorporating the appropriate security specific-process. Our proposed model elicits the system security in a
systematic way during requirement analysis phase. Using use case and questionnaires table our model elicits
the security requirements of a system. We use Point of Sale System as a case study to identify its security.
Keywords- Identify Security, Web Application, Security Model, Functional requirement, Non Functional
Requirement
I. Introduction
The Internet, and in particular the World Wide Web, have
become one of the most common communication mediums in the
World [1]. Millions of users connect every day to different web-
based applications to search for information, exchange messages,
interact with each other, conduct business, pay taxes, perform
financial operations and many more [1]. For these, web based
application is increasing day by day and vulnerabilities of web
based application is increasing simultaneously. For securing web
based application, we have to secure the network, secure the host
and secure the application in Fig. 1 [2]. In this paper, we proposed a
model for building secure web based application which is related in
application not in host and network. For building a secure
application, nonfunctional requirements are necessary along
with functional requirements. The term security which is types
of nonfunctional requirements. So only functional requirements
are not responsible and nonfunctional requirements are also necessary for building secure web application.
In software engineering, a functional requirement defines a function of a software system or its
component. A function is described as a set of inputs, the behavior, and outputs. Functional requirements may
be calculations, technical details, data manipulation and processing and other specific functionality that define
what a system is supposed to accomplish [3]. In another word, Functional requirements capture the intended
behavior of the system. This behavior may be expressed as services, tasks or functions the system is required to
perform [4]. So simply, functional requirements of a system refers to the functions of the system such as
business functions, interface functions etc. [5]. Non-functional requirements are often called qualities of a
system. Other terms for non-functional requirements are "constraints", "quality attributes", "quality goals",
"quality of service requirements" and "non-behavioral requirements" etc. [6]. In another word, nonfunctional
requirements have also been called the 'ilities' because they are most simply expressed like this: usability,
reliability, interoperability, scalability, security [7]. There are several nonfunctional requirements. These are
auditability, extensibility, maintainability, performance, portability, reliability, security, testability, usability and
etc.
Using use case and questionnaires table, our model identify the security requirements of a system
during requirement analysis phase. Where use case consists of functional requirements with actor base and
questionnaires table consists of security requirements which are related to nonfunctional requirements.

2. Model for Identifying the Security of a System: A Case Study of Point of Sale System
www.iosrjournals.org 76 | Page
II. Current Problems
It's time for businesses to take the security of their web applications more seriously, and that begins by
building more secure applications. For securing web applications, there are some topics to be noted for the
developer in Table 1 [8].
Table 1. Strengthen Web Application Security
Strengthen Web Application Security
Serial Number Terms
1. User inputs
2. Know which vulnerabilities will
compromise
3. Understand security controls
4. Never write own security controls
5. Create a security community
emissary
6. Apply security controls
consistently
For developer, these above term will be concerned before developing the system. These terms are
primary security concern for developer but not fixed guidelines. Rapid development of web based application,
there are many vulnerabilities issues are occurred. According to the OWASP Top 10 - 2013 Release [9]
Candidate includes the following changes as compared to the 2010 edition in Table 2.
Table 2. Top 10 Vulnerabilities Currently Affecting Web Applications
These are the current web application vulnerabilities issues. If we develop a web application we can
consider these issues and avoid these issues for securing web application. That’s means for web based
application we can develop techniques for avoid these vulnerabilities issues.
At end we can say that when we develop a system, we don’t concern about security [10]. And we have
no non-functional requirement security model as a model for developing a system and have no security
assessment [11] model of security level after developing the system. When we develop a system, we don’t think
about the security and after developing the system, then the customer change the security requirement then we
face some problems. Problems are in Table 3.
Table 3. Current Problems
Current Problems
Serial Number Problem Name
1. Costing
2. Timing
3. User Unsatisfied Issues
4. Testing
5. Documentation Changing
6. User Interface Changing Issues etc.
Costing, Timing, User Unsatisfied Issues, Testing, Documentation Changing Issues, User Interface
Changing Issues etc. are faced. Delivery Time is a major concern of a software. Costing is another major
concern of software.
III. Proposed Model
In software and systems engineering [12], a use case is a list of steps, typically defining interactions
between a role (known in UML [13] as an "actor") and a system, to achieve a goal. The actor can be a human or
Top 10 vulnerabilities currently affecting Web applications
Serial Number Terms
1. Injection
2. Broken Authentication and Session
Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Known Vulnerable Components
10. Un-invalidated Redirects and Forwards

3. Model for Identifying the Security of a System: A Case Study of Point of Sale System
www.iosrjournals.org 77 | Page
Fig. 2 Use Case Diagram
Fig. 3 Proposed Model of POS System
an external system. In systems engineering, use cases are used at a higher level than within software
engineering, often representing missions or stakeholder goals. The detailed requirements may then be captured
in SysML or as contractual statements [14]. A use case diagram at its simplest is a representation of a user's
interaction with the system and depicting the specifications of a use case. A use case diagram can portray the
different types of users of a system and the various ways that they interact with the system. This type of diagram
is typically used in conjunction with the textual use case and will often be accompanied by other types of
diagrams as well [15]. A use case diagram can be used to describe the usage requirements for a system from an
external point of view [16]. A use case is a functionality the users need from the system. A use case diagram
depicts the relationships among the actors and use cases. It is usually used for requirements analysis. The
components in a use case diagram include: actor, use cases and associations [17] in Fig .2.
When we develop a software, we do not think the security issues of a software. Use Case diagram
represent the process of an application [18]. So, if we represent a security question table for each process, then
most of the security will be concerned after developing the application. The proposed model for identifying
security before developing the system is given in Fig. 3.

4. Model for Identifying the Security of a System: A Case Study of Point of Sale System
www.iosrjournals.org 78 | Page
In Fig. 3, this is the Point of Sale System use case diagram. In this use case, for every process have a security
sample question table. Every security sample questionnaires table consists of security sample questions for the
related process which is used in requirement phase before developing the system. For these, all the requirement
related security of related process will concern before developing the system.
IV. Security Questionnaires Table
Security Question Table contains the requirement related security sample questions of the application which is
attached in the Use Case Diagram of the application. Each process have a Security Question Table. Such as
LOGSSQ table contains the security questions for the Login process mention in the Table 4.
Table 4: LOGSSQ Table for Login Process
For login process, LOGSSQ table [Table 4] questions pattern will help to ensure the requirement related
security before developing the system. When we develop a system, we see the Use Case diagram [Figure 3].
Then we can see the security question tables [LOGSSQ Table for Login Process- Table 4, APSSQ Table for
Add Product Process- Table 5 etc.]. For this, before developing the system, security concern will be added. And
common security will remove before developing the system.

5. Model for Identifying the Security of a System: A Case Study of Point of Sale System
www.iosrjournals.org 79 | Page
Table 5: APSSQ Table for Add Product Process
APSSQ table [Table 5] contains the security sample questions for Add Product process mention in the Use Case
Diagram [Fig. 3].
For viewing products process, this security question table [Table 6] can be used before developing
system. VPSSQ Question Table [Table 6] contains the security questions for View Product Process to avoid this
types of security.

6. Model for Identifying the Security of a System: A Case Study of Point of Sale System
www.iosrjournals.org 80 | Page
Table 6: VPSSQ Table for Add Product Process
For Viewing Product, some requirement related security is concerned before developing the system or
application. VPSSQ Table [Table 6] provides security questions to avoid this types of security.
V. IMPLEMENTATION
Pos or pos is an abbreviation for point of sale (or point-of-sale, or point of service). The term is
applicable to a retail shop or store, the checkout/cashier counter in the store, or a location where such
transactions can occur in this type of environment. It can also apply to the actual point of sale (pos) hardware &
software including but not limited to : electronic cash register systems, touch-screen display, barcode scanners,
receipt printers, scales and pole displays. Point of sale systems are utilized in many different industries, ranging
from restaurants, hotels & hospitality businesses, nail/beauty salons, casinos, stadiums, and let's not forget - the
retail environments. In the most basic sense, if something can be exchanged for monetary value - a point of sale
system can be used [19].
Point of sale (pos) or checkout is the place where a retail transaction is completed. It is the point at
which a customer makes a payment to a merchant in exchange for goods or services. At the point of sale the
merchant would use any of a range of possible methods to calculate the amount owing, such as a manual system,
weighing machines, scanners or an electronic cash register. The merchant will usually provide hardware and
options for use by the customer to make payment, such as an eftpos terminal. The merchant will also normally
issue a receipt for the transaction.
For small and medium-sized retailers, the pos will be customized by retail industry as different industries have
different needs. For example, a grocery or candy store will need a scale at the point of sale, while bars and
restaurants will need to customize the item sold when a customer has a special meal or drink request. The
modern point of sale will also include advanced functionalities to cater to different verticals, such as inventory,
crm, financials, warehousing, etc., all built into the pos software. Prior to the modern pos, all of these functions
were done independently and required the manual re-keying of information, which resulted in a lot of errors
[20].
For implementation this model, we tested a system proposed by softdemo.net/pos, the security
question table LOGSSQ for login process [Table 4], VPSSQ Table [Table 6] for View Products Process and
APSSQ Table [Table 5]for Add Products are tested before developing the application [21]. Demo soft is the
Point of Sale (POS) application which Sample Use Case is Figure 3.
In Figure 4, LOGSSQ Table for Survey form survey the security sample question for login process. Here have
some sample questions for identifying the security in requirement stage. For every survey form contains the
information of user who will survey the form. For other process, we can create survey form. Here we have
shown a survey form for LOGSSQ Table [Table 4] and a survey result in Figure 5.

7. Model for Identifying the Security of a System: A Case Study of Point of Sale System
www.iosrjournals.org 81 | Page
Figure 5. LOGSSQ Table Survey for POS
Figure 4. LOGSSQ Table for Survey Form
In Figure 5, this is the survey result of LOGSSQ Table [Table 4] and survey form of figure 3. In survey result,
name of user and email address is mentioned in survey result [Figure 4]. Question serial number (SQN) and
Remarks are shown in survey result. For this way, we can survey other table such as VPSSQ Table [Table 6],
APSSQ Table [Table 5] etc.
VI. CONCLUSION
Security is a nonfunctional requirement that specifies the security criteria and that can be used to judge
the system functionally. Now a days, rapid development of web application, security is not considered before
developing the system. For this, after developing the system, existing system contains big hole and
vulnerabilities issues are occurred. Our model specifies the system security in a systematic way during
requirement analysis phase and for this before developing the system, security concern will be added and for
this this model help to mitigate the loss and risk of software before and after developing the system. And the

8. Model for Identifying the Security of a System: A Case Study of Point of Sale System
www.iosrjournals.org 82 | Page
security as a non-functional requirement will high concern and important issues before developing any system.
This model is implemented a point of sale system as a case study.
References
[1] Teodoro, N., Serrao, C., Web application security: Improving critical web-based applications quality through in-depth security
analysis. Information Society (i-Society), 2011 International Conference on , London, 27-29 June 2011,457 - 462
[2] Chapter 1- Web Application Security Fundamentals, Web Application Security Fundamentals, [Online] 2013,
http://msdn.microsoft.com/en-us/library/ff648636.aspx (Accessed: 22 May 2013)
[3] Functional Requirement, Functional Requirement – Wikipedia, the free encyclopedia, [Online] 2013,
http://en.wikipedia.org/wiki/Functional_requirement (Accessed: 18 May, 2013)
[4] Ruth Malan and Dana Bredemeyer, Functional Requirements and Use Cases , 2001 bredemeyer consulting, white paper 8/3/01
[5] R. T. Yeh (1982) "Requirements Analysis- A Management Perspective," Proc. COMPSAC '82, Nov. 1982, pp. 410–416.
[6] Stellman, Andrew; Greene, Jennifer (2005). Applied Software Project Management. O'Reilly Media. p. 113. ISBN 978-0-596-00948-
9.
[7] Nonfunctional Requirements, [Online] 2010, http://c2.com/cgi/wiki?NonFunctionalRequirements (Accessed: 15 May, 2013)
[8] Mathew J. Schwartz, 6 Ways To Strengthen Web App Security. [Online] http://www.informationweek.com/security/application-
security/6-ways-to-strengthen-web-app-security/240006962(Accessed: 5 May 2013)
[9] Category: OWASP Top Ten Project, Category: OWASP Top Ten Project – OWASP. [Online] 2013,
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (Accessed:10 May 2013)
[10] J. McDermott and C. Fox, “Using abuse-case models for security requirements analysis”, Proceedings of the 15th annual computer
security applications conference (ACSAC’99), Phoenix, Arizona, 1999.
[11] E. Chew, S. Marianne, S. Kevin, B. Nadya, B. Anthony and R. Will, “Performance measurement guide for information security”.
Research Technical Report, NIST National Institute of Standards and Technology, Special Publication 800-55. July (2008).
[12] System Engineering, System Engineering - Wikipedia, the free encyclopedia [Online] 2013,
http://en.wikipedia.org/wiki/Systems_engineering (Accessed:8 April 2013)
[13] Unified Modeling Language- Wikipedia, the free encyclopedia. [Online] 2013,
http://en.wikipedia.org/wiki/Unified_Modeling_Language .(Accessed: 10 April 2013)
[14] Use Case -Wikipedia, the free encyclopedia, 2013[Online] , http://en.wikipedia.org/wiki/Use_Case ,(Accessed: 11 April 2013)
[15] Use Case Diagram-Wikipedia, the free encyclopedia, 2013[Online].http://en.wikipedia.org/wiki/Use_Case_Diagram (Accessed : 4
March 2013)
[16] Quick definition of a UML use case diagram, How to create a UML use case diagram, [Online] 2013,
http://www.modelio.org/tutorials/how-to-create-uml-use-case-diagram.html.(Accessed : 4 March 2013)
[17] Laurie Williams, Dright Ho, Sarah Smith, Background on UML, Eclipse UML, and Use Case Diagrams, Use case, [Online] 2005,
http://agile.csc.ncsu.edu/SEMaterials/tutorials/use_case_diagram/, (Accessed: 4 March 2013)
[18] D. Firesmith, “Security Use Cases”, Journal of Object Technology, http://www.jot.fm/issues/issue_2003_05/column6 ,May-June
2003, vol. 2, no.3, pp. 53-64.
[19] POSmatic, What is Point of Sale (POS)?, Point of Sale (POS) | What is it?,[Online] 2013, http://www.posmatic.com/point-of-
sale/what-is-point-of-sale.php (Accessed: 4 March 2013)
[20] Point of sale- Wikipedia, the free encyclopedia [Online] 2013. [Online], http://en.wikipedia.org/wiki/Point_of_sale (Accessed: 4
March 2013)
[21] Point of Sell Software - Login Panel, POS, [Online] 2013, http://softdemo.net/pos (Accessed: 24 May 2013)