SECRS TEMPLATE TO AID NOVICE DEVELOPERS IN SECURITY REQUIREMENTS IDENTIFICATION AND DOCUMENTATION

Abstract

The security requirements are one of the non-functional requirements (NFR) which acts as a constraint on the functions of the system to be built. Security requirements are important and may affect the entire quality of the system. Unfortunately, many organizations do not pay much attention to it. The security problems should be focused on the early phases of the development process i.e. in the requirements phase to stop the problems spreading down in the later phases and in turn to avoid the rework. Subsequently, when security requirements are to be focused, proper guidance should be provided which should assist requirements engineers. Many security requirements engineering methods were developed in the past which require different level of expertise such as SQUARE process which requires requirements engineer to have a certain level of security expertise. Moreover, it lacks proper guidance especially for novice developers in applying the existing security requirements engineering (SecRE) methods to identify security requirements. Hence, this study intends to address the gap by developing a guided template to assist novice developers in the security requirements identification and documentation. The main objectives of the research are: 1) to study and investigate the existing security requirements engineering (SecRE) methods. 2) To develop a template to aid novice developers in identifying and documenting security requirements. The developed template is applied to two case studies of software projects to determine its usability and applicability. The results of the case studies evaluation show that both the usability and applicability of the template is good. The template is also evaluated by several experts and software practitioners. The evaluation results show that the SecRS template is found to be satisfying the usability and applicability factors; thereby confirming that the proposed template achieves its desired objective of aiding the novice developers to identify and document security requirements correctly.