PAPS: A Scalable Framework for Prioritization and Partial Selection of Security Requirements

TL;DR

This paper introduces PAPS, a scalable goal-based framework that prioritizes and partially selects security requirements to address resource constraints while minimizing security risks in software development.

Contribution

It proposes a novel framework for partial satisfaction and prioritization of security requirements considering security goals, reducing ignored requirements and security vulnerabilities.

Findings

Reduces ignored security requirements in resource-constrained scenarios

Minimizes security vulnerabilities by considering partial requirement satisfaction

Enhances security requirement management through goal-based prioritization

Abstract

Owing to resource constraints, the existing prioritization and selection techniques for software security requirements (countermeasures) find a subset of higher-priority security requirements ignoring lower-priority requirements or postponing them to the future releases. Ignoring or postponing security requirements however, may on one hand leave some of the security threats (vulnerabilities) unattended and on the other hand influence other security requirements that rely on the ignored or postponed requirements. To address this, we have proposed considering partial satisfaction of security requirements when tolerated rather than ignoring those requirements or postponing them to the future. In doing so, we have contributed a goal-based framework that enables prioritization and partial selection of security requirements with respect to security goals. The proposed framework helps reduce the number of ignored (postponed) security requirements and consequently reduce the adverse impacts of ignoring security requirements in software products.