Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications
Pontifical Catholic University of Rio de Janeiro, BRA.
Pontifical Catholic University of Rio de Janeiro, BRA.
Pontifical Catholic University of Rio de Janeiro, BRA.
Blekinge Institute of Technology, Faculty of Computing, Department of Software Engineering.
2020 (English)In: Requirements Engineering, ISSN 0947-3602, E-ISSN 1432-010X, Vol. 25, no 4, p. 439-468, article id Special Issue: SIArticle in journal (Refereed) Published
Abstract [en]

Defects in requirement specifications can have severe consequences during the software development life cycle. Some of them may result in poor product quality and/or time and budget overrun due to incorrect or missing quality characteristics, such as security. This characteristic requires special attention in web applications because they have become a target for manipulating sensible data. Several concerns make security difficult to deal with. For instance, security requirements are often misunderstood and improperly specified due to lack of security expertise and emphasis on security during early stages of software development. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically produced. To tackle this problem, we designed an approach for reviewing security-related aspects in agile requirements specifications of web applications. Our proposal considers user stories and security specifications as inputs and relates those user stories to security properties via natural language processing. Based on the related security properties, our approach identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via three experimental trials conducted with 56 novice software engineers, measuring effectiveness, efficiency, usefulness and ease of use. We compare our approach against using: (1) the OWASP high-level security requirements and (2) a perspective-based approach as proposed in contemporary state of the art. The results strengthen our confidence that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency. © 2020, Springer-Verlag London Ltd., part of Springer Nature.

Place, publisher, year, edition, pages
Springer Science and Business Media Deutschland GmbH , 2020. Vol. 25, no 4, p. 439-468, article id Special Issue: SI
Keywords [en]
Agile requirements, Requirement verification, Software inspection, Software security, Budget control, Computer software, Cryptography, Defects, Efficiency, Life cycle, Natural language processing systems, Software design, Specifications, Effectiveness and efficiencies, Experimental trials, NAtural language processing, Open web application security projects, Quality characteristic, Requirement specification, Security requirements, Software development life cycle, Network security
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-20512DOI: 10.1007/s00766-020-00338-wISI: 000570852900001Scopus ID: 2-s2.0-85091237223OAI: oai:DiVA.org:bth-20512DiVA, id: diva2:1472656
Part of project
SERT- Software Engineering ReThought, Knowledge Foundation
Note

open access

Available from: 2020-10-02 Created: 2020-10-02 Last updated: 2021-05-25Bibliographically approved

Open Access in DiVA

fulltext(2741 kB)540 downloads
File information
File name FULLTEXT01.pdfFile size 2741 kBChecksum SHA-512
9fe3d9ab9c8be6adb7545602652d105f56babdf3a17a5bbff0d4bf23f00131ff644173d9871656261874f16b7cd87a3c4d52afa3dcf4b97d51bc0d9241ad4c42
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Mendez, Daniel

Search in DiVA

By author/editor
Mendez, Daniel
By organisation
Department of Software Engineering
In the same journal
Requirements Engineering
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 540 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 115 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf