STORE: Security Threat Oriented Requirements Engineering Methodology
This addresses the need for systematic security requirement engineering in software development, particularly for applications like ERP systems, but it is incremental as it builds on existing methodologies.
The paper tackles the problem of identifying security threats early in software development by proposing the STORE methodology for security requirement elicitation based on security threat analysis, and it shows that STORE is more effective and efficient than existing techniques like SQUARE and MOSRE in eliciting security requirements.
As we are continuously depending on information technology applications by adopting electronic channels and software applications for our business, online transaction and communication, software security is increasingly becoming a necessity and more advanced concern. Both the functional and non-functional requirements are important and provide the necessary needs at the early phases of the software development process, specifically in the requirement phase. The aim of this research is to identify security threats early in the software development process to help the requirement engineer elicit appropriate security requirements in a more systematic manner throughout the requirement engineering process to ensure a secure and quality software development. This article proposes the STORE methodology for security requirement elicitation based on security threats analysis, which includes the identification of four points: PoA, PoB, PoC and PoD for effective security attack analysis. Further, the proposed STORE methodology is also validated by a case study of an ERP System. We also compare our STORE methodology with two existing techniques, namely, SQUARE and MOSRE. We have shown that more effective and efficient security requirements can be elicited by the STORE methodology and that it helps the security requirement engineer to elicit security requirements in a more organized manner.