Abstract: | ABSTRACT This article describes how to adapt a specific part of the Rational Unified Process (RUP) framework for the purpose of conducting requirements gathering for software projects aimed at adding security features to legacy software. The RUP seems particularly fitting for this purpose because it aggregates numerous software engineering terms into a common body of knowledge and strives to give them clear and unambiguous semantics. Furthermore, the RUP allows project coordinators to pick and choose only the process elements best suited to meet the particular needs of a project. The article should prove useful to project managers, process engineers, and software architects responsible for teaching old software new security functions. It should also prove useful to organizations that have already carried out basic software security projects such as those that fix buffer overflows, teach the software to perform better data validation, replace unsafe string handling functions, and recompile code with safe exception handling. This article covers only a small and very specific part of the RUP. It interprets the RUP in ways guided by the author's experience and specializes the Requirements discipline for use in projects tasked with adding new security features to legacy software. |