Automatic Identification of Security Risks in Edicts for Software Procurement

Abstract

Brazilian Federal Institutions must obtain software tools by procurement, requiring that their software teams develop, verify and audit their specifications to ensure that software security risks concerns are clearly included in edicts. This work presents the Automated Analyst of Edicts tool for aiding the analysis of such document by automatically identifying the absence of relationships between its sentences and software security risks or security weaknesses concepts. This tool was tested on over 100 documents and compared to software security experts' performance for multi-label classification into five of the OWASP Top Ten risks. Specificity of 83% was achieved when analyzing individual sentences for multiple risks, and 90% negative prediction probability when applied to specific risk sentence relationships.