Online Stores: Functionality Framework

The Framework

Based on the system architecture and the system goals of online stores, a comprehensive functionality framework for the online stores can be developed in a form of a two-dimensional grid (see the Table below), with the horizontal axis distinguished between store functionalities and the vertical axis of the matrix distinguished between system goals. This functionality framework can be used to capture the functionalities and system goals of an online store in a systematic and modular manner, thus enabling web developers to systematically and effectively develop use cases and security use cases early in the development life cycle. In the framework, each intersection in the grid actually represents a possible area for an online store to develop store functionalities (i.e. functional cases) to achieve its corresponding system goals. Consequently, each function to be developed (i.e., functional case) also needs to be examined for security concerns (i.e., security use cases) accordingly.


Assume that an online store decides to enhance the efficiency of browsing product catalog to achieve the following system goals:
  • Information Quality: To publish an online catalog that makes product structure and product information available through an effective scheme of information organization and of high quality.
  • System Quality: To employ adequate technologies in the design of the online catalog that has an effective layout and offers site features (success factors) such as navigability, ease of use, usefulness, playfulness, search capability, personalization, and interactivity.
  • Service Quality: To provide customer services related to the online catalog in a responsive manner.

To meet the system goals listed above, the online store needs to develop the following functionalities in terms of store functions and the associated data stores:

Based on the functionalities above, security use cases can be developed:

Functions Security Use Cases
Catalog Navigation

Product List

Product Detail

Product Reviewer Registration

Product Reviewer Login

Product Review Submission

Product review List

Competitor Price Comparison

Product Search

Product Request

Inventory Notification

* based on Firesmith's categories of Web security requirements:

  1. Identification (ID): Ensure that users and client applications are identified.
  2. Authentication (AT): Ensure that users and client applications are properly verified.
  3. Authorization (AR): Ensure that users and client applications can only access data and services for which they have been properly authorized.
  4. Integrity (IG): Ensure that communications and data are not intentionally corrupted.
  5. Intrusion (IT): Detect attempted intrusions by unauthorized persons and client applications.
  6. Non-repudiation (NR): Ensure that parties to interactions with the application or component cannot later repudiate those interactions.
  7. Privacy (PV): Ensure that confidential communications and data are kept private.
  8. Audit (AD): Enable security personnel to audit the status and usage of the security mechanisms.
  9. Maintenance (MT): Ensure that an application, component, or center shall prevent authorized modifications from accidentally defeating its security mechanisms.

Supplemental Reading