Mutual Refinement of Security Requirements and Architecture Using Twin Peaks Model
Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka.
36th Annual IEEE International Computer Software and
Applications Conference Workshops (COMPSACW 2012),
pp. 367-372, Izmir, Turkey, Jul. 2012. IEEE CS. 16-20 July 2012.
It is difficult to sufficiently specify software security requirements
because they depend on a software architecture that
has not yet been designed. Although the Twin Peaks model
is a reference model to elicit a sufficient amount of software
requirements in conjunction with the architectural requirements,
it is still unclear how the security requirements can be elicited
while taking the architecture into consideration. We propose a
novel method to elicit the security requirements with architecture
elaboration based on the Twin Peaks model, which is called the
Twin Peaks Model application for Security Analysis (TMP-SA).
In our method, security countermeasures for attacks are elicited
as the security requirements incrementally according to the
refinement of the architecture. We can comprehensively explore
the alternatives for the countermeasures (security requirements)
and choose the most suitable one for each project because we
can focus on the architecture-specific security issues as well
as architecture-independent security issues. We have applied
our method to several applications and discuss its advantages
and limitations. We found that our method is suitable for
iterative development, and it enables us to find threats caused
by architectural issues that are severely difficult to find when
analyzing only the requirements issues.