Skip to main content
SpringerLink
Log in

An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications

  • Original Articl
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Defects in requirement specifications can have severe consequences during the software development life cycle. Some of them may result in poor product quality and/or time and budget overrun due to incorrect or missing quality characteristics, such as security. This characteristic requires special attention in web applications because they have become a target for manipulating sensible data. Several concerns make security difficult to deal with. For instance, security requirements are often misunderstood and improperly specified due to lack of security expertise and emphasis on security during early stages of software development. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically produced. To tackle this problem, we designed an approach for reviewing security-related aspects in agile requirements specifications of web applications. Our proposal considers user stories and security specifications as inputs and relates those user stories to security properties via natural language processing. Based on the related security properties, our approach identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via three experimental trials conducted with 56 novice software engineers, measuring effectiveness, efficiency, usefulness and ease of use. We compare our approach against using: (1) the OWASP high-level security requirements and (2) a perspective-based approach as proposed in contemporary state of the art. The results strengthen our confidence that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

Notes

  1. https://docs.sonarqube.org/latest/user-guide/security-rules/.

  2. https://github.com/hrguarinv/FESRAS.

  3. https://github.com/stanfordnlp/CoreNLP.

  4. https://doi.org/10.5281/zenodo.3966542.

  5. https://doi.org/10.5281/zenodo.3966542.

References

  1. Alsaqaf W, Daneva M, Wieringa R (2017) Quality requirements in large-scale distributed agile projects–a systematic literature review. In: International working conference on requirements engineering: foundation for software quality, pp 219–234. Springer, Berlin

  2. Araujo R, Curphey M (2005) Software security code review: code inspection finds problems. Software Magazine. July 2005

  3. Azuma M (2001) Square: the next generation of the ISO/IEC 9126 and 14598 international standards series on software product quality. In: ESCOM (European software control and metrics conference), pp 337–346. Springer, Berlin

  4. Basili V, Caldiera G, Lanubile F, Shull F (1996) Studies on reading techniques. In: Proceedings of the twenty-first annual software engineering workshop, vol 96, p 002. Citeseer

  5. Basili VR (1992) Software modeling and measurement: the goal/question/metric paradigm. Tech. rep

  6. Beck K, Beedle M, Van Bennekum A, Cockburn A, Cunningham W, Fowler M, Grenning J, Highsmith J, Hunt A, Jeffries R et al (2001) Manifesto for agile software development. http://agilemanifesto.org. Accessed 21 Aug 2020

  7. Bjarnason E, Runeson P, Borg M, Unterkalmsteiner M, Engström E, Regnell B, Sabaliauskaite G, Loconsole A, Gorschek T, Feldt R (2014) Challenges and practices in aligning requirements with verification and validation: a case study of six companies. Empir Softw Eng 19(6):1809–1855

    Article  Google Scholar 

  8. Boehm B (2002) Get ready for agile methods, with care. Computer 1:64–69

    Article  Google Scholar 

  9. Boehm B, Basili VR (2005) Software defect reduction top 10 list. Foundations of empirical software engineering: the legacy of Victor R. Basili 426(37):426–431

    Google Scholar 

  10. Cao L, Ramesh B (2008) Agile requirements engineering practices: an empirical study. IEEE Softw 25(1):60–67

    Article  Google Scholar 

  11. Carver JC (2010) Towards reporting guidelines for experimental replications: A proposal. In: 1st international workshop on replication in empirical software engineering, pp 2–5. Citeseer

  12. Carver JC, Shull F, Rus I (2006) Finding and fixing problems early: a perspective-based approach to requirements and design inspections. STSC CrossTalk

  13. Chung L, Nixon BA, Yu E, Mylopoulos J (2012) Non-functional requirements in software engineering, vol 5. Springer, Berlin

    MATH  Google Scholar 

  14. Daneva M, Wang C (2018) Security requirements engineering in the agile era: how does it work in practice? In: 2018 IEEE 1st international workshop on quality requirements in agile projects (QuaRAP), pp 10–13. IEEE

  15. Davis FD (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS quarterly, pp 319–340

  16. Deepa G, Thilagam PS (2016) Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf Softw Technol 74:160–180

    Article  Google Scholar 

  17. Devanbu PT, Stubblebine S (2000) Software engineering for security: a roadmap. In: Proceedings of the conference on the future of software engineering, pp 227–239. ACM, Cambridge

  18. Domah D, Mitropoulos FJ (2015) The nerv methodology: a lightweight process for addressing non-functional requirements in agile software development. In: SoutheastCon 2015, pp 1–7. IEEE

  19. Eberlein A, Leite J (2002) Agile requirements definition: a view from requirements engineering. In: Proceedings of the international workshop on time-constrained requirements engineering (TCRE’02), pp 4–8

  20. Elberzhager F, Klaus A, Jawurek M (2009) Software inspections using guided checklists to ensure security goals. In: 2009 international conference on availability, reliability and security, pp 853–858. IEEE

  21. Fabian B, Gürses S, Heisel M, Santen T, Schmidt H (2010) A comparison of security requirements engineering methods. Requir Eng 15(1):7–40

    Article  Google Scholar 

  22. Falessi D, Juristo N, Wohlin C, Turhan B, Münch J, Jedlitschka A, Oivo M (2018) Empirical software engineering experts on the use of students and professionals in experiments. Empir Softw Eng 23(1):452–489

    Article  Google Scholar 

  23. Fernández DM, Wagner S, Kalinowski M, Felderer M, Mafra P, Vetrò A, Conte T, Christiansson MT, Greer D, Lassenius C et al (2017) Naming the pain in requirements engineering. Empir Softw Eng 22(5):2298–2338

    Article  Google Scholar 

  24. Fernández DM, Wagner S, Kalinowski M, Schekelmann A, Tuzcu A, Conte T, Spinola R, Prikladnicki R (2015) Naming the pain in requirements engineering: comparing practices in brazil and germany. IEEE Softw 32(5):16–23

    Article  Google Scholar 

  25. FoxBusiness.com: Biggest cyber attacks in history. Yahoo Finance. https://finance.yahoo.com/news/worst-cyber-attacks-past-10-202226243.html . Accessed 21 Aug 2020

  26. Goertzel KM, Winograd T, McKinley HL, Oh LJ, Colon M, McGibbon T, Fedchak E, Vienneau R (2007) Software security assurance: a state-of-art report (sar). Tech. rep., Information assurance technology analysis center (IATAC)

  27. Haley C, Laney R, Moffett J, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133–153

    Article  Google Scholar 

  28. Halling M, Biffl S, Grechenig T, Kohle M (2001) Using reading techniques to focus inspection performance. In: Proceedings 27th EUROMICRO conference. 2001: a net odyssey, pp 248–257. IEEE

  29. Houmb SH, Islam S, Knauss E, Jürjens J, Schneider K (2010) Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and umlsec. Requir Eng 15(1):63–93

    Article  Google Scholar 

  30. Howard M, Lipner S (2006) The security development lifecycle, vol 8. Microsoft Press, Redmond

    Google Scholar 

  31. Inayat I, Salim SS, Marczak S, Daneva M, Shamshirband S (2015) A systematic literature review on agile requirements engineering practices and challenges. Comput Hum Behav 51:915–929

    Article  Google Scholar 

  32. Kraut RE, Streeter LA (1995) Coordination in software development. Commun ACM 38(3):69–82

    Article  Google Scholar 

  33. Kuhrmann M, Diebold P, Münch J, Tell P, Garousi V, Felderer M, Trektere K, McCaffery F, Linssen O, Hanser E et al (2017) Hybrid software and system development in practice: waterfall, scrum, and beyond. In: Proceedings of the 2017 international conference on software and system process, pp 30–39. ACM

  34. Lami G, Gnesi S, Fabbrini F, Fusani M, Trentanni G (2004) An automatic tool for the analysis of natural language requirements. Informe técnico, CNR Information Science and Technology Institute, Pisa, Italia, Setiembre

  35. Lucassen G, Dalpiaz F, van der Werf JME, Brinkkemper S (2015) Forging high-quality user stories: towards a discipline for agile requirements. In: 2015 IEEE 23rd international requirements engineering conference (RE), pp 126–135. IEEE

  36. McGraw G (2006) Software security: building security, vol 1. Addison-Wesley Professional, Cambridge

    Google Scholar 

  37. Mead NR, Stehney T (2005) Security quality requirements engineering (SQUARE) methodology, vol 30. ACM, Cambridge

    Book  Google Scholar 

  38. Mellado D, Blanco C, Sánchez LE, Fernández-Medina E (2010) A systematic review of security requirements engineering. Comput Stand Interfaces 32(4):153–165

    Article  Google Scholar 

  39. Mellado D, Fernández-Medina E, Piattini M (2007) A common criteria based security requirements engineering process for the development of secure information systems. Computer standards & interfaces 29(2):244–253

    Article  Google Scholar 

  40. Nerur S, Mahapatra R, Mangalaraj G (2005) Challenges of migrating to agile methodologies. Commun ACM 48(5):72–78

    Article  Google Scholar 

  41. Nuseibeh B, Easterbrook S (2000) Requirements engineering: a roadmap. In: Proceedings of the conference on the future of software engineering, pp 35–46. ACM

  42. OWASP: The Open Web Application Security Project. https://owasp.org. Accessed 21 Aug 2020

  43. Peine H, Jawurek M, Mandel S (2008) Security goal indicator trees: A model of software features that supports efficient security inspection. In: 2008 11th IEEE high assurance systems engineering symposium, pp 9–18. IEEE

  44. Penzenstadler B, Raturi A, Richardson D, Tomlinson B (2014) Safety, security, now sustainability: the nonfunctional requirement for the 21st century. IEEE Softw 31(3):40–47

    Article  Google Scholar 

  45. Ramesh B, Cao L, Baskerville R (2010) Agile requirements engineering practices and challenges: an empirical study. Inform Syst J 20(5):449–480

    Article  Google Scholar 

  46. Riaz M, King J, Slankas J, Williams L (2014) Hidden in plain sight: automatically identifying security requirements from natural language artifacts. In: 2014 IEEE 22nd international requirements engineering conference (RE), pp 183–192. IEEE

  47. Sampaio L, Garcia A (2016) Exploring context-sensitive data flow analysis for early vulnerability detection. J Syst Softw 113:337–361. https://doi.org/10.1016/j.jss.2015.12.021

    Article  Google Scholar 

  48. Schön EM, Thomaschewski J, Escalona MJ (2017) Agile requirements engineering: a systematic literature review. Comput Stand Interfaces 49:79–91

    Article  Google Scholar 

  49. Shull FJ, Basili VR (1998) Developing techniques for using software documents: a series of empirical studies. Ph.D. thesis, research directed by Dept. of Computer Science. University of Maryland

  50. Slankas J, Williams L (2013) Automated extraction of non-functional requirements in available documentation. In: 2013 1st International workshop on natural language analysis in software engineering (NaturaLiSE), pp 9–16. IEEE

  51. Subashini S, Kavitha V (2011) A survey on security issues in service delivery models of cloud computing. J Netw Comput Appl 34(1):1–11

    Article  Google Scholar 

  52. Terpstra E, Daneva M, Wang C (2017) Agile practitioners’ understanding of security requirements: insights from a grounded theory analysis. In: 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW), pp. 439–442. IEEE

  53. Travassos G, Shull F, Fredericks M, Basili VR (1999) Detecting defects in object-oriented designs: using reading techniques to increase software quality. In: ACM Sigplan notices, vol 34, pp 47–56. ACM

  54. Turner M, Kitchenham B, Brereton P, Charters S, Budgen D (2010) Does the technology acceptance model predict actual use? a systematic literature review. Inf Softw Technol 52(5):463–479

    Article  Google Scholar 

  55. VanVoorhis CW, Morgan BL (2007) Understanding power and rules of thumb for determining sample sizes. Tutor Quant Methods Psychol 3(2):43–50

    Article  Google Scholar 

  56. Villamizar H, Kalinowski M, Viana M, Fernández DM (2018) A systematic mapping study on security in agile requirements engineering. In: 2018 44th Euromicro conference on software engineering and advanced applications (SEAA), pp 454–461. IEEE

  57. Villamizar H, Neto AA, Kalinowski M, Garcia A, Méndez D (2019) An approach for reviewing security-related aspects in agile requirements specifications of web applications. In: 2019 IEEE 27th international requirements engineering conference (RE), pp 86–97. IEEE

  58. Wohlin C, Runeson P, Höst M, Ohlsson MC, Regnell B, Wesslén A (2012) Experimentation in software engineering. Springer, Berlin

    Book  MATH  Google Scholar 

  59. Zubrow D (2004) Software quality requirements and evaluation, the iso 25000 series. Software Engineering Institute, Carnegie Mellon

Download references

Author information

Authors and Affiliations

  1. Pontifical Catholic University of Rio de Janeiro, Rio de Janeiro, Brazil

    Hugo Villamizar, Marcos Kalinowski & Alessandro Garcia

  2. Blekinge Institute of Technology, Karlskrona, Sweden

    Daniel Mendez

Authors
  1. Hugo Villamizar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marcos Kalinowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alessandro Garcia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Daniel Mendez
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hugo Villamizar.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Villamizar, H., Kalinowski, M., Garcia, A. et al. An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications. Requirements Eng 25, 439–468 (2020). https://doi.org/10.1007/s00766-020-00338-w

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-020-00338-w

Keywords

Search

Navigation