Towards security requirements management for software product lines: A security domain requirements engineering process

Security and requirements engineering are one of the most important factors of success in the development of a software product line due to the complexity and extensive nature of them, given that a weakness in security can cause problems throughout the products of a product line. The main contribution of this work is that of providing a security standard-based process for software product line development, which is an add-in of activities in the domain engineering. This process deals with security requirements from the early stages of the product line lifecycle in a systematic and intuitive way especially adapted for product line based development. It is based on the use of the latest security requirements techniques, together with the integration of the Common Criteria (ISO/IEC 15408) and the ISO/IEC 17799 controls into the product line lifecycle. Additionally, it deals with security artefacts variability and traceability, providing us with a Security Core Assets Repository. Moreover, it facilitates the conformance to the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 17799. Finally, we will illustrate our proposed process by describing part of a real case study, as a preliminary validation of it.