Security Requirements Engineering for Service-Oriented Applications

Security Requirements Engineering (SRE) is concerned with detect- ing and analysing security issues early in the software development process. Some variants of i; start since early requirements and rely on modelling actors and their dependencies. Though useful for traditional information systems devel- opment, these approaches adopt a bird's eye perspective that is inadequate for service-oriented applications, in which multiple autonomous and heterogeneous agents interact to achieve their own strategic interests. In this paper we present SecCo (Security via Commitments), a novel SRE frame- work expressly thought for service-oriented settings. The key intuition is to relate security requirements to interaction. In order to do so, we specify security re- quirements in terms of social commitments, promises with contractual validity between agents. These commitments describe the security properties the service provider commits to ensure to the consumer while delivering the service.