Analyzing and evaluating security features in software requirements

Abstract

Software requirements, for complex projects, often contain specifications of non-functional attributes (e.g., security-related features). The process of analyzing such requirements is laborious and error prone. Due to the inherent free-flowing nature of software requirements, it is tempting to apply Natural Language Processing (NLP) based Machine Learning (ML) techniques for analyzing these documents from the point of view of comprehensiveness and consistency. In this paper, we propose novel semi-automatic methodology that can assess the security requirements of the software system from the perspective of completeness, contradiction, and inconsistency. Security standards introduced by the ISO are used to construct a model for classifying security-based requirements using NLP-based ML techniques. Hence, this approach aims to identify the appropriate structures that underlie software requirement documents. Once such structures are formalized and empirically validated, they will provide guidelines to software organizations for generating comprehensive and unambiguous requirement specification documents as related to security-oriented features. The proposed solution will assist organizations during the early phases of developing secure software and reduce overall development effort and costs.