Evaluating software security change requests: A COSMIC-based quantification approach

Abstract

Software project scope defines functional and non-functional requirements. These requirements may change to satisfy the customers' needs. However, the control of scope creep represents one of the success keys in software project management. Changes in non-functional requirements affect the ISO/IEC 25010 quality characteristics such as security, portability, etc. Furthermore, some of these quality characteristics may evolve throughout the software life cycle into functional requirements. In this paper, we explore the use of COSMIC method-ISO/IEC 19761 to quantify and evaluate security change requests. Measuring the functional size of security change requests allows stakeholders to make appropriate decisions about whether to accept, defer, or deny the change. © 2019 IEEE.