Print

Team Project #1: Security Requirements for Online Stores

Online Stores Security

Online retailing is considered the most prevalent type and predominant business model of electronic commerce applications existing today. But as Internet users are increasingly dismayed and frightened over the rising rates of a variety of Internet threats, security concerns are making negative impact on online retailing sales. 

Today’s web platform offers more areas for risk to be introduced through its exposure to anonymous users and the involvement of various parties (i.e., suppliers, distributors, customers, and partners), thus making ecommerce systems a target for both accidental and intentional distortion, distribution and deletion of critical transaction data [2]. Although the environmental factors contributing to the security problems cannot be ignored, the failure of secure web engineering has received tremendous attention. Research has found that insecure web applications are being developed by web programmers who either lack of adequate security training [10] or interest in eliciting security requirements [24]. In many cases traditional software requirements engineering techniques are found to be difficult to apply [24], and the testing methodologies for the audit and control of web development were overly insufficient [23].

Many efforts have been made to develop approaches that integrate security requirements early into software development, and these approaches undoubtedly have their merits [7,15].  In order to facilitate the integration process of security requirements, these approaches explicitly define a set of well-defined tasks to follow. In an extensive literature survey Tondel et al. [34] indicates that these approaches typically recommend the use of system goals and such artifacts as security use cases and misuse cases. System goals are success factors for a system. In requirements engineering system goals are generally considered as essential in the development of system requirements. For the use of use cases and misuses, however, Firesmith [10] cautions that system developers should focus on security use cases in the process, because misuse cases are only effective in analyzing security threats. Thus, the nature of misuse cases would inevitably make the development of security use cases a hit-and-miss task.

In this team project you are required to systematically elicitate security requirements for an online store by using this Functionality Framework.

Steps

  1. Carefully review the following three articles: SE Approaches, Security Use Cases, and Engineering SR.
  2. Carefully review the SR Elicitation page in the SDLC module.
  3. Carefully study the System Goals and the System Architecture of online stores in the SDLC module.
  4. Go online and find an online store of your choice.
  5. Use this Functionality Framework, (a) identify possible system goals in the three quality areas for every functionality module except the "Catalog," (b) identify store functions and the assets needed to be safeguarded, and (c) develop security use cases.
  6. Use this security case template to document the security cases developed in Step 5 and write security requirements for each security use case using the guidelines provided by Engineering SR.

Grading:

  1. Completeness and accuracy: 70%
  2. Documentation: 30%