Security Requirements Engineering Process for Software Product Lines: A Case Study

The majority of the current product line practices in requirements engineering do not adequately address security requirements engineering despite the fact that security requirements engineering is both a central task and a critical success factor in product line development due to the complexity and extensive nature of product lines. Therefore, our contribution is to present and to demonstrate the applicability of our proposed security quality requirements engineering process (SREPPLine), which is based on a security requirements decision model driven by security standards along with a security variability model. We shall demonstrate our proposal by describing part of a real case study as a preliminary validation of these models. The final aim of this approach is to deal with security requirements variability from the early stages of the product line development in a systematic way, in order to facilitate conformance of the products with the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408.