Daniel Mellado, Eduardo Fernández-Medina, Mario Piattini



Proper analysis and understanding of security requirements are important because they help us to discover any security or requirement defects or mistakes in the early stages of development. Hence, security requirements engineering is both a central task and a critical success factor in product line development due to the complexity and extensive nature of product lines. However, most of the current product line practices in requirements engineering do not adequately address security requirements engineering. Therefore, in this paper we will propose a security quality requirements engineering process (SREPPLine) driven by security standards and based on a security requirements decision model along with a security variability model to manage the variability of the artefacts related to security requirements. The aim of this approach is to deal with security requirements from the early stages of the product line development in a systematic way, in order to facilitate conformance with the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408.


  1. Birk, A. & G. Heller (2007). "Challenges for requirements engineering and management in software product line development." International Conference on Requirements Engineering (REFSQ 2007): 300-305.
  2. Bosh, J. (2000). Design & Use of Software Architectures, Pearson Education Limited,
  3. Chung, L., B. Nixon, E. Yu & J. Mylopoulos (2000). NonFunctional Requirements in Software Engineering, Kluwer Academic Publishers,
  4. Clements, P. & L. Northrop (2002). Software Product Lines: Practices and Patterns, Addison-Wesley,
  5. Firesmith, D. G. (2003). "Engineering Security Requirements." Journal of Object Technology 2(1): 53-68.
  6. ISO/IEC (2004). ISO/IEC 13335 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management.
  7. ISO/IEC (2004). ISO/IEC 15446 Information technology - Security techniques - Guide for the production of Protection Profiles and Security Targets.
  8. ISO/IEC (2005). ISO/IEC 15408:2005 Information technology - Security techniques - Evaluation criteria for IT security, (Common Criteria v3.0).
  9. ISO/IEC (2006). ISO/IEC 27001 Information technology - - Security techniques -- Information security management systems -- Requirements.
  10. Jürjens, J. (2002). "UMLsec: extending UML for secure systems development." UML 2002 - The Unified Modeling Language. Model Engineering, Languages,Concepts, and Tools. 5th International Conference. LNCS 2460: 412-425.
  11. Kotonya, G. & I. Sommerville (2000). Requirements Engineering Process and Techniques, John Willey & Sons,
  12. Kuloor, C. & A. Eberlein (2003). Aspect-Oriented Requirements Engineering for Software Product Lines. Proceedings of the 10 th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems (ECBS'03).
  13. López, F., M. A. Amutio, J. Candau & J. A. Mañas (2005). Methodology for Information Systems Risk Analysis and Management, Ministry of Public Administration,
  14. Mellado, D., E. Fernández-Medina & M. Piattini (2006). "Applying a Security Requirements Engineering Process." 11th European Symposium on Research in Computer Security (ESORICS 2006) Springer LNCS 4189: 192-206.
  15. Mellado, D., E. Fernández-Medina & M. Piattini (2008). Towards security requriements management for software product lines: a security domain requirements engineering process. Computer Standards & Interfaces. (accepted):
  16. Niemelä, E. & A. Immonen (2007). Capturing quality requirements of product family architecture. Information & Software Technology. 49: 1107-1120.
  17. OMG_(Object_Management_Group) (2004). Reusable Assets Specification (RAS), ptc/04-06-06.
  18. Pohl, K., G. Böckle & F. v. d. Linden (2005). Software Product Line Engineering. Foundations, Principles and Techniques. Berlin Heidelberg: Springer,
  19. Sindre, G. & A. L. Opdahl (2005). "Eliciting security requirements with misuse cases." Requirements Engineering 10 1: 34-44.

Paper Citation

in Harvard Style

Mellado D., Fernández-Medina E. and Piattini M. (2008). SECURITY REQUIREMENTS IN SOFTWARE PRODUCT LINES . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008) ISBN 978-989-8111-59-3, pages 442-449. DOI: 10.5220/0001922804420449

in Bibtex Style

author={Daniel Mellado and Eduardo Fernández-Medina and Mario Piattini},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)},

in EndNote Style

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2008)
SN - 978-989-8111-59-3
AU - Mellado D.
AU - Fernández-Medina E.
AU - Piattini M.
PY - 2008
SP - 442
EP - 449
DO - 10.5220/0001922804420449