Information Security Antipatterns in Software Requirements Engineering

“Requirements engineering is one of the key activities in
the software development process. The rapid expansion of
e-commerce and internet applications increases the need
for adequate application security. Yet, conventional
requirements engineering methodologies rarely mention
information security aspects. The information security
community, on the other hand, has developed system
security requirements specification methodologies. These
methodologies, from the software architect’s point of
view, are often hard to understand and too general to be
applied. By following conventional methodologies and
failing to thoroughly understand the security
consequences, architects end up with inadequate
application security. This paper presents two commonly
observed cases – antipatterns. In the first case, an old and
well-known (perimeter security) model is applied in a new
context without analysis of the security requirements. In
the second case, the impact of lacking data sensitivity
classification and threat analyses is considered.”

Full paper here. By Miroslav Kis, Ph.D., CISSP, Member IEEE

This entry was posted in Patterns. Bookmark the permalink.

Leave a Reply