Data breaches, zero-day vulnerabilities, and attacks exploiting components core to global information technology (IT) infrastructure have become a mainstay of technology news over the last couple years. Researchers and practitioners alike are vigorously trying to build detection and prevention capabilities to arrest this growing trend of loss due to poor security engineering and implementation discipline. Against this backdrop of advancements in every aspect of the information security industry, one area that needs a deeper look is security requirements engineering (SRE), and more specifically the reusability of knowledge cultivated over time when designing and building various security controls and mechanisms.

This paper, although self-admittedly far from perfect, is a commendable effort in asking the right questions of researchers as well as security professionals around SRE knowledge reuse. This exercise in discovery, mapping, and comparing works in SRE methodologies over the last 13 years may be incomplete, biased, and limited in scope, but it clearly demonstrates a few key lessons on the subject and the steady rise in interest in it.

The paper describes “five main types of knowledge forms of representation ... (re)used by SRE approaches: (1) security patterns; (2) taxonomies and ontologies; (3) templates and profiles; (4) catalogs and generic models; and (5) mixed.” The authors note that “a framework to compare and analyze knowledge reuse in SRE was also defined.”

Those interested in the topic of SRE and trends contributing to the rise in software vulnerabilities may find this paper to be a good, though not exhaustive, reference on works between 2000 and 2013.