Requirements engineering in secure software systems: Factors that influence requirements risk analysis and risk management

Although a significant amount of research has been devoted to software engineering practices, methods for developing secure software systems have been somewhat overlooked by industry and academe, viewing security as something that is bolted on at the end of a project rather than baked into the development lifecycle. As software systems become more complex, are accessed by greater numbers of users, and contain more sensitive information, making sure applications are secure is becoming increasingly important. Within the last few years, there has been a renewed focus on developing secure software systems. Gathering, analyzing, and managing requirements for secure software projects are difficult because of factors related to cost, expertise, and time constraints. In addition, secure requirements often clash with traditional non-secure software requirements, which result in project delivery delays, increases in cost, reduction in quality, and stakeholder disappointment. In order to overcome these issues, it is necessary to understand the importance of secure requirements risk analysis and requirements risk management. This paper discusses these difficulties in relation to secure system risk analysis, and suggests methods for reducing or mitigating some of these issues.