On Testing Security Requirements in Industry – A Survey Study
[ 1 ] Instytut Informatyki, Wydział Informatyki i Telekomunikacji, Politechnika Poznańska | [ P ] employee
chapter in monograph / paper
- security requirements
EN [Context and motivation] Among all categories of non-functional requirements, requirements concerning security are those that are specified frequently and tackled with care. [Question/problem] Constant changes in technologies used to develop software products drive to new and changing security requirements, which requires adapting of the approaches used to investigate if the security requirements are satisfied. And, thus, the question arises if and how security requirements are tested. [Principal ideas/results] We conducted an online survey among software development practitioners. 190 respondents from a wide variety of countries shared with us their experience concerning testing security requirements. [Contribution] We learned that security requirements are tested in the majority of surveyed projects. However, in some having high impact (economic, human health, environment) the dedicated effort is small or none. There are different techniques used from automated ones like static code analysis, to manual ones like code reviews. Most developers, QAs and DevOps are testing security. The greatest challenges concern culture, knowledge, and difficulty in specifying tests.
183 - 198