On Testing Security Requirements in Industry – A Survey Study

On Testing Security Requirements in Industry – A Survey Study

연구 분야: Strategies

학회: International Working Conference on Requirements Engineering: Foundation for Software Quality

[Context and motivation] Among all categories of non-functional requirements, requirements concerning security are those that are specified frequently and tackled with care. [Question/problem] Constant changes in technologies used to develop software products drive to new and changing security requirements, which requires adapting of the approaches used to investigate if the security requirements are satisfied. And, thus, the question arises if and how security requirements are tested. [Principal ideas/results] We conducted an online survey among software development practitioners. 190 respondents from a wide variety of countries shared with us their experience concerning testing security requirements. [Contribution] We learned that security requirements are tested in the majority of surveyed projects. However, in some having high impact (economic, human health, environment) the dedicated effort is small or none. There are different techniques used from automated ones like static code analysis, to manual ones like code reviews. Most developers, QAs and DevOps are testing security. The greatest challenges concern culture, knowledge, and difficulty in specifying tests.