Risk-Based Security Requirements Model for Web Software

Abstract

With the proliferation of software vulnerabilities, tools are need to aid developers in infusing security requirements. This work introduces a risk-based security requirements model (RBSR) for web applications. With RBSR, security requirements for mitigating vulnerabilities are associated with weaknesses and risks. Events in the application’s functional requirements are also associated with risks. The functional requirements thus acquire the relevant security requirements. RBSR makes it possible to specify security requirements completely and consistently across use cases. The RBSR model is explained and a case study application is used to demonstrate the model.