Describing early security requirements using use case maps

Abstract

Non-functional requirements (NFR), such as availability, usability, performance, and security are often crucial in producing a satisfactory software product. Therefore, these non-functional requirements should be addressed as early as possible in the software development life cycle. Contrary to other non-functional requirements, such as usability and performance, security concerns are often postponed to the very end of the design process. As a result, security requirements have to be tailored into an existing design, leading to serious design challenges that usually translate into software vulnerabilities. In this paper, we present a novel approach to describe high-level security requirements using the Use Case Maps (UCM) language of the ITU-T User Requirements Notation (URN) standard. The proposed approach is based on a mapping to UCM models of a set of security architectural tactics that describe security design measures in a very general, abstract, and implementation-independent way. The resulting security extensions are described using a metamodel and implemented within the jUCMNav tool. We illustrate our approach using a UCM scenario describing the modification of consultants’ pay rates.