Security Requirements---A Field Study of Current Practice
2005 (English)In: Symposium on Requirements Engineering for Information Security,2005, 2005Conference paper (Refereed)
The number of security flaws in software is a costly problem. In 2004 more than ten new security vulnerabilities were found in commercial and open source software every day. More accurate and consistent security requirements could be a driving force towards more secure software. In a field study of eleven software projects including e-business, health care and military applications we have documented current practice in security requirements. The overall conclusion is that security requirements are poorly specified due to three things: inconsistency in the selection of requirements, inconsistency in level of detail, and almost no requirements on standard security solutions. We show how the requirements could have been enhanced by using the ISO/IEC standard for security management.
Place, publisher, year, edition, pages
security requirements, requirements engineering, public procurement
IdentifiersURN: urn:nbn:se:liu:diva-29496Local ID: 14851OAI: oai:DiVA.org:liu-29496DiVA: diva2:250311
13th IEEE International Requirements Engineering Conference, August 29th-September 2nd, Paris, France