{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,25]],"date-time":"2025-10-25T12:37:23Z","timestamp":1761395843538,"version":"3.37.3"},"reference-count":59,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2020,9,18]],"date-time":"2020-09-18T00:00:00Z","timestamp":1600387200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2020,9,18]],"date-time":"2020-09-18T00:00:00Z","timestamp":1600387200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Requirements Eng"],"published-print":{"date-parts":[[2020,12]]},"DOI":"10.1007\/s00766-020-00338-w","type":"journal-article","created":{"date-parts":[[2020,9,18]],"date-time":"2020-09-18T09:03:59Z","timestamp":1600419839000},"page":"439-468","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":16,"title":["An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications"],"prefix":"10.1007","volume":"25","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4142-6967","authenticated-orcid":false,"given":"Hugo","family":"Villamizar","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Marcos","family":"Kalinowski","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alessandro","family":"Garcia","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daniel","family":"Mendez","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2020,9,18]]},"reference":[{"key":"338_CR1","doi-asserted-by":"crossref","unstructured":"Alsaqaf W, Daneva M, Wieringa R (2017) Quality requirements in large-scale distributed agile projects\u2013a systematic literature review. In: International working conference on requirements engineering: foundation for software quality, pp 219\u2013234. Springer, Berlin","DOI":"10.1007\/978-3-319-54045-0_17"},{"key":"338_CR2","unstructured":"Araujo R, Curphey M (2005) Software security code review: code inspection finds problems. Software Magazine. July 2005"},{"key":"338_CR3","unstructured":"Azuma M (2001) Square: the next generation of the ISO\/IEC 9126 and 14598 international standards series on software product quality. In: ESCOM (European software control and metrics conference), pp 337\u2013346. Springer, Berlin"},{"key":"338_CR4","unstructured":"Basili V, Caldiera G, Lanubile F, Shull F (1996) Studies on reading techniques. In: Proceedings of the twenty-first annual software engineering workshop, vol 96, p 002. Citeseer"},{"key":"338_CR5","unstructured":"Basili VR (1992) Software modeling and measurement: the goal\/question\/metric paradigm. Tech. rep"},{"key":"338_CR6","unstructured":"Beck K, Beedle M, Van Bennekum A, Cockburn A, Cunningham W, Fowler M, Grenning J, Highsmith J, Hunt A, Jeffries R et al (2001) Manifesto for agile software development.\u00a0http:\/\/agilemanifesto.org. Accessed 21 Aug 2020"},{"issue":"6","key":"338_CR7","doi-asserted-by":"publisher","first-page":"1809","DOI":"10.1007\/s10664-013-9263-y","volume":"19","author":"E Bjarnason","year":"2014","unstructured":"Bjarnason E, Runeson P, Borg M, Unterkalmsteiner M, Engstr\u00f6m E, Regnell B, Sabaliauskaite G, Loconsole A, Gorschek T, Feldt R (2014) Challenges and practices in aligning requirements with verification and validation: a case study of six companies. Empir Softw Eng 19(6):1809\u20131855","journal-title":"Empir Softw Eng"},{"key":"338_CR8","doi-asserted-by":"publisher","first-page":"64","DOI":"10.1109\/2.976920","volume":"1","author":"B Boehm","year":"2002","unstructured":"Boehm B (2002) Get ready for agile methods, with care. Computer 1:64\u201369","journal-title":"Computer"},{"issue":"37","key":"338_CR9","first-page":"426","volume":"426","author":"B Boehm","year":"2005","unstructured":"Boehm B, Basili VR (2005) Software defect reduction top 10 list. Foundations of empirical software engineering: the legacy of Victor R. Basili 426(37):426\u2013431","journal-title":"Basili"},{"issue":"1","key":"338_CR10","doi-asserted-by":"publisher","first-page":"60","DOI":"10.1109\/MS.2008.1","volume":"25","author":"L Cao","year":"2008","unstructured":"Cao L, Ramesh B (2008) Agile requirements engineering practices: an empirical study. IEEE Softw 25(1):60\u201367","journal-title":"IEEE Softw"},{"key":"338_CR11","unstructured":"Carver JC (2010) Towards reporting guidelines for experimental replications: A proposal. In: 1st international workshop on replication in empirical software engineering, pp 2\u20135. Citeseer"},{"key":"338_CR12","unstructured":"Carver JC, Shull F, Rus I (2006) Finding and fixing problems early: a perspective-based approach to requirements and design inspections. STSC CrossTalk"},{"key":"338_CR13","volume-title":"Non-functional requirements in software engineering","author":"L Chung","year":"2012","unstructured":"Chung L, Nixon BA, Yu E, Mylopoulos J (2012) Non-functional requirements in software engineering, vol 5. Springer, Berlin"},{"key":"338_CR14","doi-asserted-by":"crossref","unstructured":"Daneva M, Wang C (2018) Security requirements engineering in the agile era: how does it work in practice? In: 2018 IEEE 1st international workshop on quality requirements in agile projects (QuaRAP), pp 10\u201313. IEEE","DOI":"10.1109\/QuaRAP.2018.00008"},{"key":"338_CR15","doi-asserted-by":"crossref","unstructured":"Davis FD (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS quarterly, pp 319\u2013340","DOI":"10.2307\/249008"},{"key":"338_CR16","doi-asserted-by":"publisher","first-page":"160","DOI":"10.1016\/j.infsof.2016.02.005","volume":"74","author":"G Deepa","year":"2016","unstructured":"Deepa G, Thilagam PS (2016) Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf Softw Technol 74:160\u2013180","journal-title":"Inf Softw Technol"},{"key":"338_CR17","doi-asserted-by":"crossref","unstructured":"Devanbu PT, Stubblebine S (2000) Software engineering for security: a roadmap. In: Proceedings of the conference on the future of software engineering, pp 227\u2013239. ACM, Cambridge","DOI":"10.1145\/336512.336559"},{"key":"338_CR18","doi-asserted-by":"crossref","unstructured":"Domah D, Mitropoulos FJ (2015) The nerv methodology: a lightweight process for addressing non-functional requirements in agile software development. In: SoutheastCon 2015, pp 1\u20137. IEEE","DOI":"10.1109\/SECON.2015.7133028"},{"key":"338_CR19","unstructured":"Eberlein A, Leite J (2002) Agile requirements definition: a view from requirements engineering. In: Proceedings of the international workshop on time-constrained requirements engineering (TCRE\u201902), pp 4\u20138"},{"key":"338_CR20","doi-asserted-by":"crossref","unstructured":"Elberzhager F, Klaus A, Jawurek M (2009) Software inspections using guided checklists to ensure security goals. In: 2009 international conference on availability, reliability and security, pp 853\u2013858. IEEE","DOI":"10.1109\/ARES.2009.20"},{"issue":"1","key":"338_CR21","doi-asserted-by":"publisher","first-page":"7","DOI":"10.1007\/s00766-009-0092-x","volume":"15","author":"B Fabian","year":"2010","unstructured":"Fabian B, G\u00fcrses S, Heisel M, Santen T, Schmidt H (2010) A comparison of security requirements engineering methods. Requir Eng 15(1):7\u201340","journal-title":"Requir Eng"},{"issue":"1","key":"338_CR22","doi-asserted-by":"publisher","first-page":"452","DOI":"10.1007\/s10664-017-9523-3","volume":"23","author":"D Falessi","year":"2018","unstructured":"Falessi D, Juristo N, Wohlin C, Turhan B, M\u00fcnch J, Jedlitschka A, Oivo M (2018) Empirical software engineering experts on the use of students and professionals in experiments. Empir Softw Eng 23(1):452\u2013489","journal-title":"Empir Softw Eng"},{"issue":"5","key":"338_CR23","doi-asserted-by":"publisher","first-page":"2298","DOI":"10.1007\/s10664-016-9451-7","volume":"22","author":"DM Fern\u00e1ndez","year":"2017","unstructured":"Fern\u00e1ndez DM, Wagner S, Kalinowski M, Felderer M, Mafra P, Vetr\u00f2 A, Conte T, Christiansson MT, Greer D, Lassenius C et al (2017) Naming the pain in requirements engineering. Empir Softw Eng 22(5):2298\u20132338","journal-title":"Empir Softw Eng"},{"issue":"5","key":"338_CR24","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1109\/MS.2015.122","volume":"32","author":"DM Fern\u00e1ndez","year":"2015","unstructured":"Fern\u00e1ndez DM, Wagner S, Kalinowski M, Schekelmann A, Tuzcu A, Conte T, Spinola R, Prikladnicki R (2015) Naming the pain in requirements engineering: comparing practices in brazil and germany. IEEE Softw 32(5):16\u201323","journal-title":"IEEE Softw"},{"key":"338_CR25","unstructured":"FoxBusiness.com: Biggest cyber attacks in history. Yahoo Finance. https:\/\/finance.yahoo.com\/news\/worst-cyber-attacks-past-10-202226243.html\u00a0. Accessed 21 Aug 2020"},{"key":"338_CR26","doi-asserted-by":"crossref","unstructured":"Goertzel KM, Winograd T, McKinley HL, Oh LJ, Colon M, McGibbon T, Fedchak E, Vienneau R (2007) Software security assurance: a state-of-art report (sar). Tech. rep., Information assurance technology analysis center (IATAC)","DOI":"10.21236\/ADA472363"},{"issue":"1","key":"338_CR27","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1109\/TSE.2007.70754","volume":"34","author":"C Haley","year":"2008","unstructured":"Haley C, Laney R, Moffett J, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133\u2013153","journal-title":"IEEE Trans Softw Eng"},{"key":"338_CR28","unstructured":"Halling M, Biffl S, Grechenig T, Kohle M (2001) Using reading techniques to focus inspection performance. In: Proceedings 27th EUROMICRO conference. 2001: a net odyssey, pp 248\u2013257. IEEE"},{"issue":"1","key":"338_CR29","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/s00766-009-0093-9","volume":"15","author":"SH Houmb","year":"2010","unstructured":"Houmb SH, Islam S, Knauss E, J\u00fcrjens J, Schneider K (2010) Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and umlsec. Requir Eng 15(1):63\u201393","journal-title":"Requir Eng"},{"key":"338_CR30","volume-title":"The security development lifecycle","author":"M Howard","year":"2006","unstructured":"Howard M, Lipner S (2006) The security development lifecycle, vol 8. Microsoft Press, Redmond"},{"key":"338_CR31","doi-asserted-by":"publisher","first-page":"915","DOI":"10.1016\/j.chb.2014.10.046","volume":"51","author":"I Inayat","year":"2015","unstructured":"Inayat I, Salim SS, Marczak S, Daneva M, Shamshirband S (2015) A systematic literature review on agile requirements engineering practices and challenges. Comput Hum Behav 51:915\u2013929","journal-title":"Comput Hum Behav"},{"issue":"3","key":"338_CR32","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1145\/203330.203345","volume":"38","author":"RE Kraut","year":"1995","unstructured":"Kraut RE, Streeter LA (1995) Coordination in software development. Commun ACM 38(3):69\u201382","journal-title":"Commun ACM"},{"key":"338_CR33","doi-asserted-by":"crossref","unstructured":"Kuhrmann M, Diebold P, M\u00fcnch J, Tell P, Garousi V, Felderer M, Trektere K, McCaffery F, Linssen O, Hanser E et al (2017) Hybrid software and system development in practice: waterfall, scrum, and beyond. In: Proceedings of the 2017 international conference on software and system process, pp 30\u201339. ACM","DOI":"10.1145\/3084100.3084104"},{"key":"338_CR34","unstructured":"Lami G, Gnesi S, Fabbrini F, Fusani M, Trentanni G (2004) An automatic tool for the analysis of natural language requirements. Informe t\u00e9cnico, CNR Information Science and Technology Institute, Pisa, Italia, Setiembre"},{"key":"338_CR35","doi-asserted-by":"crossref","unstructured":"Lucassen G, Dalpiaz F, van der Werf JME, Brinkkemper S (2015) Forging high-quality user stories: towards a discipline for agile requirements. In: 2015 IEEE 23rd international requirements engineering conference (RE), pp 126\u2013135. IEEE","DOI":"10.1109\/RE.2015.7320415"},{"key":"338_CR36","volume-title":"Software security: building security","author":"G McGraw","year":"2006","unstructured":"McGraw G (2006) Software security: building security, vol 1. Addison-Wesley Professional, Cambridge"},{"key":"338_CR37","doi-asserted-by":"publisher","DOI":"10.21236\/ADA443493","volume-title":"Security quality requirements engineering (SQUARE) methodology","author":"NR Mead","year":"2005","unstructured":"Mead NR, Stehney T (2005) Security quality requirements engineering (SQUARE) methodology, vol 30. ACM, Cambridge"},{"issue":"4","key":"338_CR38","doi-asserted-by":"publisher","first-page":"153","DOI":"10.1016\/j.csi.2010.01.006","volume":"32","author":"D Mellado","year":"2010","unstructured":"Mellado D, Blanco C, S\u00e1nchez LE, Fern\u00e1ndez-Medina E (2010) A systematic review of security requirements engineering. Comput Stand Interfaces 32(4):153\u2013165","journal-title":"Comput Stand Interfaces"},{"issue":"2","key":"338_CR39","doi-asserted-by":"publisher","first-page":"244","DOI":"10.1016\/j.csi.2006.04.002","volume":"29","author":"D Mellado","year":"2007","unstructured":"Mellado D, Fern\u00e1ndez-Medina E, Piattini M (2007) A common criteria based security requirements engineering process for the development of secure information systems. Computer standards & interfaces 29(2):244\u2013253","journal-title":"Computer standards & interfaces"},{"issue":"5","key":"338_CR40","doi-asserted-by":"publisher","first-page":"72","DOI":"10.1145\/1060710.1060712","volume":"48","author":"S Nerur","year":"2005","unstructured":"Nerur S, Mahapatra R, Mangalaraj G (2005) Challenges of migrating to agile methodologies. Commun ACM 48(5):72\u201378","journal-title":"Commun ACM"},{"key":"338_CR41","doi-asserted-by":"crossref","unstructured":"Nuseibeh B, Easterbrook S (2000) Requirements engineering: a roadmap. In: Proceedings of the conference on the future of software engineering, pp 35\u201346. ACM","DOI":"10.1145\/336512.336523"},{"key":"338_CR42","unstructured":"OWASP: The Open Web Application Security Project. https:\/\/owasp.org. Accessed 21 Aug 2020"},{"key":"338_CR43","doi-asserted-by":"crossref","unstructured":"Peine H, Jawurek M, Mandel S (2008) Security goal indicator trees: A model of software features that supports efficient security inspection. In: 2008 11th IEEE high assurance systems engineering symposium, pp 9\u201318. IEEE","DOI":"10.1109\/HASE.2008.57"},{"issue":"3","key":"338_CR44","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1109\/MS.2014.22","volume":"31","author":"B Penzenstadler","year":"2014","unstructured":"Penzenstadler B, Raturi A, Richardson D, Tomlinson B (2014) Safety, security, now sustainability: the nonfunctional requirement for the 21st century. IEEE Softw 31(3):40\u201347","journal-title":"IEEE Softw"},{"issue":"5","key":"338_CR45","doi-asserted-by":"publisher","first-page":"449","DOI":"10.1111\/j.1365-2575.2007.00259.x","volume":"20","author":"B Ramesh","year":"2010","unstructured":"Ramesh B, Cao L, Baskerville R (2010) Agile requirements engineering practices and challenges: an empirical study. Inform Syst J 20(5):449\u2013480","journal-title":"Inform Syst J"},{"key":"338_CR46","doi-asserted-by":"crossref","unstructured":"Riaz M, King J, Slankas J, Williams L (2014) Hidden in plain sight: automatically identifying security requirements from natural language artifacts. In: 2014 IEEE 22nd international requirements engineering conference (RE), pp 183\u2013192. IEEE","DOI":"10.1109\/RE.2014.6912260"},{"key":"338_CR47","doi-asserted-by":"publisher","first-page":"337","DOI":"10.1016\/j.jss.2015.12.021","volume":"113","author":"L Sampaio","year":"2016","unstructured":"Sampaio L, Garcia A (2016) Exploring context-sensitive data flow analysis for early vulnerability detection. J Syst Softw 113:337\u2013361. https:\/\/doi.org\/10.1016\/j.jss.2015.12.021","journal-title":"J Syst Softw"},{"key":"338_CR48","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1016\/j.csi.2016.08.011","volume":"49","author":"EM Sch\u00f6n","year":"2017","unstructured":"Sch\u00f6n EM, Thomaschewski J, Escalona MJ (2017) Agile requirements engineering: a systematic literature review. Comput Stand Interfaces 49:79\u201391","journal-title":"Comput Stand Interfaces"},{"key":"338_CR49","unstructured":"Shull FJ, Basili VR (1998) Developing techniques for using software documents: a series of empirical studies. Ph.D. thesis, research directed by Dept. of Computer Science. University of Maryland"},{"key":"338_CR50","doi-asserted-by":"crossref","unstructured":"Slankas J, Williams L (2013) Automated extraction of non-functional requirements in available documentation. In: 2013 1st International workshop on natural language analysis in software engineering (NaturaLiSE), pp 9\u201316. IEEE","DOI":"10.1109\/NAturaLiSE.2013.6611715"},{"issue":"1","key":"338_CR51","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.jnca.2010.07.006","volume":"34","author":"S Subashini","year":"2011","unstructured":"Subashini S, Kavitha V (2011) A survey on security issues in service delivery models of cloud computing. J Netw Comput Appl 34(1):1\u201311","journal-title":"J Netw Comput Appl"},{"key":"338_CR52","doi-asserted-by":"crossref","unstructured":"Terpstra E, Daneva M, Wang C (2017) Agile practitioners\u2019 understanding of security requirements: insights from a grounded theory analysis. In: 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW), pp. 439\u2013442. IEEE","DOI":"10.1109\/REW.2017.54"},{"key":"338_CR53","doi-asserted-by":"crossref","unstructured":"Travassos G, Shull F, Fredericks M, Basili VR (1999) Detecting defects in object-oriented designs: using reading techniques to increase software quality. In: ACM Sigplan notices, vol 34, pp 47\u201356. ACM","DOI":"10.1145\/320385.320389"},{"issue":"5","key":"338_CR54","doi-asserted-by":"publisher","first-page":"463","DOI":"10.1016\/j.infsof.2009.11.005","volume":"52","author":"M Turner","year":"2010","unstructured":"Turner M, Kitchenham B, Brereton P, Charters S, Budgen D (2010) Does the technology acceptance model predict actual use? a systematic literature review. Inf Softw Technol 52(5):463\u2013479","journal-title":"Inf Softw Technol"},{"issue":"2","key":"338_CR55","doi-asserted-by":"publisher","first-page":"43","DOI":"10.20982\/tqmp.03.2.p043","volume":"3","author":"CW VanVoorhis","year":"2007","unstructured":"VanVoorhis CW, Morgan BL (2007) Understanding power and rules of thumb for determining sample sizes. Tutor Quant Methods Psychol 3(2):43\u201350","journal-title":"Tutor Quant Methods Psychol"},{"key":"338_CR56","doi-asserted-by":"crossref","unstructured":"Villamizar H, Kalinowski M, Viana M, Fern\u00e1ndez DM (2018) A systematic mapping study on security in agile requirements engineering. In: 2018 44th Euromicro conference on software engineering and advanced applications (SEAA), pp 454\u2013461. IEEE","DOI":"10.1109\/SEAA.2018.00080"},{"key":"338_CR57","doi-asserted-by":"crossref","unstructured":"Villamizar H, Neto AA, Kalinowski M, Garcia A, M\u00e9ndez D (2019) An approach for reviewing security-related aspects in agile requirements specifications of web applications. In: 2019 IEEE 27th international requirements engineering conference (RE), pp 86\u201397. IEEE","DOI":"10.1109\/RE.2019.00020"},{"key":"338_CR58","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-29044-2","volume-title":"Experimentation in software engineering","author":"C Wohlin","year":"2012","unstructured":"Wohlin C, Runeson P, H\u00f6st M, Ohlsson MC, Regnell B, Wessl\u00e9n A (2012) Experimentation in software engineering. Springer, Berlin"},{"key":"338_CR59","unstructured":"Zubrow D (2004) Software quality requirements and evaluation, the iso 25000 series. Software Engineering Institute, Carnegie Mellon"}],"container-title":["Requirements Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00766-020-00338-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s00766-020-00338-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s00766-020-00338-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,9,18]],"date-time":"2021-09-18T00:38:43Z","timestamp":1631925523000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s00766-020-00338-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,9,18]]},"references-count":59,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,12]]}},"alternative-id":["338"],"URL":"https:\/\/doi.org\/10.1007\/s00766-020-00338-w","relation":{},"ISSN":["0947-3602","1432-010X"],"issn-type":[{"type":"print","value":"0947-3602"},{"type":"electronic","value":"1432-010X"}],"subject":[],"published":{"date-parts":[[2020,9,18]]},"assertion":[{"value":"11 December 2019","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 September 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 September 2020","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}