Abstract To develop security critical web applications, specifying security requirements is important, since 75% to 80% of all attacks happen at the web application layer. We adopted security requirements engineering methods to identify security requirements at the early stages of software development life cycle so as to minimize vulnerabilities at the later phases. In this paper, we present the evaluation of Model Oriented Security Requirements Engineering (MOSRE) framework and Security Requirements Engineering Framework (SREF) by implementing the identified security requirements of a web application through each framework while developing respective web application. We also developed a web application without using any of the security requirements engineering method in order to prove the importance of security requirements engineering phase in software development life cycle. The developed web applications were scanned for vulnerabilities using the web application scanning tool. The evaluation was done in two phases of software development life cycle: requirements engineering and testing. From the results, we observed that the number of vulnerabilities detected in the web application developed by adopting MOSRE framework is less, when compared to the web applications developed adopting SREF and without using any security requirements engineering method. Thus, this study led the requirements engineers to use MOSRE framework to elicit security requirements efficiently and also trace security requirements from requirements engineering phase to later phases of software development life cycle for developing secure web applications.

References

[1] Adida B. and Helios B., Web-Based Open- Audit Voting, in Proceedings of the 17th USENIX Security Symposium, Berkeley, pp. 335- 348, 2008.

[2] Asnar Y., Moretti R., Sebastianis M., and Zannone N., Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model- Driven Approach, in Proceedings of the Third International Conference on Availability, Reliability and Security, Barcelona, pp.1240- 1247, 2008.

[3] Fu X., Lu X., Peltsverger B., Chen S., Qian K., and Tao L., A Static Analysis Framework for Detecting SQL Injection Vulnerabilities, in Proceedings 31st Annual International Computer Software and Applications Conference, Beijing, pp. 87-96, 2007.

[4] Fuentes L. and Sanchez P., Designing and Weaving Aspect-Oriented Executable UML Models, Journal of Object Technology, vol. 6, no. 7, pp.109-136, 2007.

[5] Gartner Research, http://www.gartner.com/ technology/research.jsp, Last Visited, 2012.

[6] Haley C., Laney R., Moffett J., and Nuseibeh B., Security Requirements Engineering: A Framework for Representation and Analysis, IEEE Transactions on Software Engineering, vol. 34, no. 1, pp. 133-153, 2008.

[7] Hopkins A., Web Application Vulnerability Statistics 2010-2011, White Paper, Context Information Security, 2012.

[8] Ismail O., Kadobayashi Y., Yamaguchi S., and Etoh M., A Proposal and Implementation of Automatic Detection/ Collection System for Cross Site Scripting Vulnerability, in Proceedings 18th International Conference on Advanced Information Networking and Applications, Fukuoka, pp.145-151, 2004.

[9] Jacobson I., Modeling with Use Cases: Formalizing Use Case Modelling, Journal of Object-Oriented Programming, vol. 8, no. 3, pp.139-149, 1995.

[10] Jefferson D., Rubin A., Simons B., and Wagner D., A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE), http://servesecurityreport.org/paper .pdf, Last Visited, 2004.

[11] Jos Escalona M. and Koch N., Requirements Engineering for Web Applications-A Comparative Study, Journal of Web Engineering, vol. 2, no. 3, pp. 193-212, 2004.

[12] J rjens J., UMLsec: Extending UML for Secure Systems Development, in Proceedings of 5th International Conference on the Unified Modeling Language, Dresden, pp. 412-425, 2002.

[13] Kals S., Kirda E., Kruegel C., and Jovanovic N., SecuBat-A Web Vulnerability Scanner, in Proceedings of 15th International Conference World Wide Web, Edinburgh, pp. 247-256, 2006.

[14] Karabey B. and Baykal N., Attack Tree Based Information Security Risk Assessment Method Integrating Enterprise Objectives with Vulnerabilities, The International Arab Journal of Information Technology, vol. 10, no. 3, pp. 297-304, 2013.

[15] Kiayias A., Korman M., and Walluck D., An Internet Voting System Supporting User Privacy, in Proceedings 22nd Annual Computer Security Applications Conference, Miami Beach, pp.165-174, 2006.

[16] Koch N. and Kraus A., The Expressive Power of UML-Based Web Engineering, in Proceedings of 2nd International Workshop on Web-Oriented Software Technology, Malaga, pp. 105-119, 2002.

[17] Kohno T., Stubblefield A., Rubin A., and Wallach S., Analysis of an Electronic Voting System, in Proceedings of IEEE Symposium on Security and Privacy, Berkeley, pp. 27-40, 2004.

[18] LamSweerde A., Elaborating Security Requirements by Construction of Intentional Anti-Models, in Proceedings of 26th 444 The International Arab Journal of Information Technology, Vol. 15, No. 3, May 2018 International Conference on Software Engineering, Edinburgh, pp. 148-157, 2004.

[19] List of Vulnerabilities, http://nvd.nist.gov/ full_listing.cfm, Last Visited, 2014.

[20] Liu L., Yu E., and Mylopoulos J., Security and Privacy Requirements Analysis within a Social Setting, in Proceedings 11th IEEE International Conference on Requirements Engineering, Monterey Bay, pp. 151-161, 2003.

[21] Lodderstedt T., Basin D., and Doser J., SecureUML: A UML-Based Modeling Language for Model-Driven Security, in Proceedings of 5th International Conference on the Unified Modeling Language, Dresden, pp. 426-441, 2002.

[22] Mead N., Security Requirements Engineering, Carnegie Mellon University, https://BuildSecurityin.us-cert.gov/Daisy/Bsi/ Articles/Best-Practices/Requirements/243.html, Last Visited, 2010.

[23] Mead N., Houg E., and Stehney T., Security Quality Requirements Engineering (SQUARE) Methodology, Technical Report, 2005.

[24] Mell P., The National Vulnerability Database, National Institute of Standards and Technology, http://csrc.nist.gov/groups/SMA/ispab/documents /minutes/2005-12/P_Mell-Dec2005-ISPAB.pdf 1 Last Visited, 2005.

[25] Mellado D., Medina E., and Piattini M., A Common Criteria Based Security Requirements Engineering Process for the Development of Secure Information Systems, Computer Standards and Interfaces, vol. 29, no. 2, pp. 244- 253, 2007.

[26] Mouratidis H. and J rjens J., From Goal-Driven Security Requirements Engineering to Secure Design, International Journal of Intelligent Systems, vol. 25, no. 8, pp. 813-840, 2010.

[27] Online Web Application Security Projects, https://www.owasp.org, Last Visited, 2014.

[28] Rubin A. Security Considerations for Remote Electronic Voting over the Internet, http://avirubin.com/e-voting.security.html. Last Visited, 20014.

[29] Salini P. and Kanmani S., Evaluating Security Requirements Engineering Framework for Web Applications, CiiT International Journal of Software Engineering and Technology, vol. 1, no. 3, pp. 106-112, 2009.

[30] Salini P. and Kanmani S., Model Oriented Security Requirements Engineering (MOSRE) Framework for Web Applications, in Proceedings of Second International Conference on Advances in Computing and Information Technology, Chennai, pp. 341-353, 2012.

[31] Salini P. and Kanmani S., Security Based Requirements Engineering for E-Voting System, in Proceedings of Third International Conference on Recent Trends in Information, Telecommunication and Computing, Springer New York, pp. 451-455, 2013.

[32] Scott D. and Sharp R., Abstracting Application- Level Web Security, in Proceedings of 11th International Conference on World Wide Web, Honolulu, pp. 396-407, 2002.

[33] Subramaniam U. and Subbaraya K., A Biometric Based Secure Session Key Agreement Using Modified Elliptic Curve Cryptography, The International Arab Journal of Information Technology, vol. 12, no. 2, pp. 155-162, 2015.

[34] Suleiman H. and Svetinovic D., Evaluating the Effectiveness of the Security Guality Requirements Engineering (SQUARE) Method: a Case Study Using Smart Grid Advanced Metering Infrastructure, Requirements Engineering, vol. 18, no. 3, pp. 251-279, 2013.

[35] Web Security Threat Classification. WASC, https://files.pbworks.com/download/Ps7eci3iTm/ webappsec/ 13247059/WASC-TC-v2_0. pdf. Last Visited, 2014. Salini Prabhakaran is from Puducherry received her B.Tech degree in Information Technology and M.Tech in Computer Science and Engineering from Pondicherry University. She completed her Ph.D in Computer Science and Engineering, from Pondicherry Engineering College affiliated to Pondicherry University. In 2005 she joined as a lecturer in Department of Information Technology in a Private Engineering College. Since 2007, she is working as an Assistant Professor in Department of Computer Science and Engineering, Pondicherry Engineering College. Her research interests are software engineering, security engineering and information security. She has published about 15 papers in reputed international journals and conferences and she is a member of ISTE. Kanmani Selvadurai received her B.E and M.E in Computer Science and Engineering from Bharathiar University and Ph.D from Anna University, Chennai. She has been the faculty of department of Computer Science and Engineering, Pondicherry Engineering College from 1992. Presently she is working as a professor in the Department of Information Technology. Her research interests are in software engineering, software testing and object oriented systems. She is a member of computer society of India, ISTE and Institute of Engineers, India. She has published more than 150 papers in international conferences and journals.