A Security Requirements Engineering Process in Practice

Security requirements for the IT-systems are being more and more complicated due to the scale-spreading, diversification and connectivity of them, therefore it is very difficult to make an Information System secure. Without a systematic process or methodology security requirements are often retrofitted late in the development process or pursed separately from functional design. A real case study is shown in this paper demonstrating how security requirements can be obtained in a guided, intuitive and systematic way together with the other requirements and since the early stages of the software development process by applying our proposed security requirements engineering process, called SREP, which is based on providing a security resources repository and on integrating the Common Criteria into the software development lifecycle.