Description

Designing secure software systems means - implicitly or explicitly - to satisfy the security requirements of a software system. A security requirement defines a certain required aspect of the system to increase security or, in other words, decrease the possibility and/or the damage of cyber attacks. Hence, the completeness and soundness of the defined security requirements is one factor of how secure a software system is (another is, how well the security requirements are fulfilled by a system). However, which security requirements are important to be considered when designing and implementing a software system depends on multiple factors, such as the target domain the software is going to be used, or the type of the desired software. Moreover, security requirements relate to different parts - or abstractions - of a software system. For instance, one security requirement can require a web application firewall to be deployed at the endpoint to the public internet - which affects the application and infrastructure level in the first place - while another can require a certain hashing algorithm to be used for sensitive data, which affects the code and protocol level in the first place. Up to now, there does not exist a meaningful catalog and classification of security requirements.

In this thesis a catalog of common security requirements of software systems shall be developed. On top of that, a meaningful classification of the security requirements must be developed, that allows to classify them according to certain characteristics. These can be, for instance, the type of software, i.e. for what type of software the security requirement is usually important or even required, or the level of abstraction on architecture level, i.e. is the security requirement on application, code or infrastructure level? Methodically, all sorts of sources and resources should be taken into account for creating the catalog and classification, i.e. both academic literature and grey literature or opensource repositories should be analysed for this purpose.

This thesis is only available as a bachelor thesis.