Empirically Analyzing and Evaluating Security Features in Software Requirements

Software requirements, for complex projects, often contain specifications of non-functional attributes (e.g., security-related features). The process of analyzing such requirements for compliance is laborious and error prone. Due to the inherent free-flowing nature of software requirements, it is appealing to apply Natural Language Processing (NLP) and Machine Learning (ML)-based techniques for analyzing these documents. In this paper, we propose a semi-automatic methodology that assesses the security requirements of software systems with respect to completeness and ambiguity, creating a bridge between the requirements documents and being in compliance with standards. Security standards, such as ISO and OWASP, are compared against software project documents for textual entailment relationships. These entailment results along with the document annotations are used to train a Neural Network model to predict whether a given statement in the document is found within the security standard or not. Hence, this approach aims to identify the appropriate structures that underlie software requirements documents. Once such structures are formalized and empirically validated, they will provide guidelines to software organizations for generating comprehensive and unambiguous requirements specification documents as related to security-oriented features.