Applying a Security Domain Requirements Engineering Process for Software Product Lines

Security requirements management is especially important in software product lines, given that a weakness in security or a security breach can cause problems throughout all the products of a product line. The main contribution of this work is that of illustrating, by describing part of a real case study, a guided, systematic and intuitive way of dealing with security requirements from the early stages of the product line lifecycle by applying our proposed process of security requirements engineering for software product lines (SREPPLine), which makes it easier the variability and reusability management as well as the traceability relations of the security requirements in the product line. It is based on the use of the latest security requirements techniques, together with the integration of the Common Criteria (ISO/IEC 15408) and ISO/IEC 27001 controls, so that it facilitates the conformance of the product line and its products to the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408.