Shareeful's research interests focus on software and systems engineering domain specifically requirements engineering, risk management, security, privacy and cloud computing. His long-term research goal is to effectively deploy risk management practice for software intensive systems and to develop secure software systems for large, open and dynamic environments. He is also interested to apply the research outputs of his work to different application domains such as cloud computing and to empirically evaluate the applicability of the outputs.
Goal-driven Software Development Risk Management Model (GSRM):
Risk management in software project is critical and contributes effectively to increase the likelihood of the project success. But risk management is not well applied in practice. There are several reasons for that such as visible development cost always get more attention in the project, risks are intangible by nature and address issues not only from present but also from the future, and project specific risks are less obvious and difficult to predicate, guideline is missing how to integrate risk management activities into the existing development process from early stage. There is a need for systematic and effective risk management practice from early stage of the development and aware the project manager about the impact of risk management practice.
GSRM contributes on this direction. GSRM used goal-driven approach to model and reason about the risks and explicitly integrated into requirements engineering phase. This work empirically evaluated the impact of risk management into software project using survey and case study research method and finally developed goal-risk taxonomy. A number of publications from this work are mentioned in the publication list.
Security Requirements Engineering Process (SecReq):
An important question that has been identified as crucial in order to integrate information security and requirements engineering is how to elicit and security requirement and trace the identified requirements throughout the development. Security requirement identification is a challenging task because during requirements elicitation, vague and undocumented demands and desires from multiple stakeholders must be detected and merged with more conscious and documented requirements. This task is inherently difficult due to the different backgrounds, tacit assumptions, and styles of communication among stakeholders.
Security requirements may be implicit, hidden, and spread out over different documents. There are standards and best practices, such as Common Criteria, ISO 27011:2005, available aimed at guiding developers in building secure systems. Nevertheless, identifying requirements with security implications requires security expertise and experience. Unfortunately, security experts are not always available. This collaborative work developed SecReq, a security requirements elicitation and tracing methodology using HeRa, Common Criteria and UMLsec. This work further extends focusing on organizational learning to facilitate the security requirements elicitation process.
Security and Privacy Requirements Engineering Method for Cloud Computing:
Cloud computing is a paradigm that is radically changing the way humans store, share and access their digital files. Despite the many benefits such as the introduction of a rapid elastic resource pool, and on-demand service, the paradigm also creates challenges for both users and providers. In particular, there are issues related to security and privacy, such as unauthorized access, loss of privacy, data replication and regulatory violation that require adequate attention. The recent research interest in developing software engineering techniques to support systems based on the cloud, the literature fails to provide a systematic and structured approach that enables software engineers to identify security and privacy requirements and select a suitable service provider based on such requirements. This work develops a framework that
incorporates a modelling language and it provides a structured process that supports elicitation of security and privacy requirements and the selection of a service provider based on the satisfiability of the service provider to the relevant security and privacy requirements.