TY - JOUR
T1 - A maturity model for secure requirements engineering
AU - Niazi, Mahmood
AU - Saeed, Ashraf Mohammed
AU - Alshayeb, Mohammad
AU - Mahmood, Sajjad
AU - Zafar, Saad
N1 - Publisher Copyright:
© 2020
PY - 2020/8
Y1 - 2020/8
N2 - Security is considered to be a critical software quality attribute. Tackling security at the requirements phase helps to avoid the need to rework secure software development issues. The aim of this paper is to develop a Requirements Engineering (RE) Security Maturity Model (RESMM) to assist software development organizations to better specify the requirements for secure software development. To achieve this objective, first, we conducted a systematic literature review (SLR) to identify the requirement practices for secure software development. Then we modified Sommerville's requirements engineering practices. We also conducted a questionnaire survey based on the identified security requirements practices. Next, the RESMM was built based on the results of the SLR, the modified Sommerville practices and feedback from the security practitioners. Finally, two case studies were conducted to assess RESMM. RESMM has 79 practices classified into 7 RE categories. The case study results show that RESMM has a clear structure and is easy to comprehend and use. In addition, the case study participants recommended that software organizations adopt RESMM. RESMM has the ability to identify the RE security maturity levels in software organizations. RESMM can also help software development organizations deliver secure software.
AB - Security is considered to be a critical software quality attribute. Tackling security at the requirements phase helps to avoid the need to rework secure software development issues. The aim of this paper is to develop a Requirements Engineering (RE) Security Maturity Model (RESMM) to assist software development organizations to better specify the requirements for secure software development. To achieve this objective, first, we conducted a systematic literature review (SLR) to identify the requirement practices for secure software development. Then we modified Sommerville's requirements engineering practices. We also conducted a questionnaire survey based on the identified security requirements practices. Next, the RESMM was built based on the results of the SLR, the modified Sommerville practices and feedback from the security practitioners. Finally, two case studies were conducted to assess RESMM. RESMM has 79 practices classified into 7 RE categories. The case study results show that RESMM has a clear structure and is easy to comprehend and use. In addition, the case study participants recommended that software organizations adopt RESMM. RESMM has the ability to identify the RE security maturity levels in software organizations. RESMM can also help software development organizations deliver secure software.
UR - http://www.scopus.com/inward/record.url?scp=85084658340&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2020.101852
DO - 10.1016/j.cose.2020.101852
M3 - Article
AN - SCOPUS:85084658340
SN - 0167-4048
VL - 95
JO - Computers and Security
JF - Computers and Security
M1 - 101852
ER -