2014 IEEE 22nd International Requirements Engineering Conference (RE) (2014)
Aug. 25, 2014 to Aug. 29, 2014
Stefan Gartner , Software Engineering Group, Leibniz Universität Hannover, Germany
Thomas Ruhroth , Software Engineering, TU Dortmund, Germany
Jens Burger , Software Engineering, TU Dortmund, Germany
Kurt Schneider , Software Engineering Group, Leibniz Universität Hannover, Germany
Jan Jurjens , Software Engineering, TU Dortmund, Germany
Security is an increasingly important quality facet in modern information systems and needs to be retained. Due to a constantly changing environment, long-living software systems “age” not by wearing out, but by failing to keep up-to-date with their environment. The problem is that requirements engineers usually do not have a complete overview of the security-related knowledge necessary to retain security of long-living software systems. This includes security standards, principles and guidelines as well as reported security incidents. In this paper, we focus on the identification of known vulnerabilities (and their variations) in natural-language requirements by leveraging security knowledge. For this purpose, we present an integrative security knowledge model and a heuristic method to detect vulnerabilities in requirements based on reported security incidents. To support knowledge evolution, we further propose a method based on natural language analysis to refine and to adapt security knowledge. Our evaluation indicates that the proposed assessment approach detects vulnerable requirements more reliable than other methods (Bayes, SVM, k-NN). Thus, requirements engineers can react faster and more effectively to a changing environment that has an impact on the desired security level of the information system.
Security, Information systems, Natural languages, Taxonomy, Ontologies, Analytical models
S. Gartner, T. Ruhroth, J. Burger, K. Schneider and J. Jurjens, "Maintaining requirements for long-living software systems by incorporating security knowledge," 2014 IEEE 22nd International Requirements Engineering Conference (RE), Karlskrona, Sweden, 2014, pp. 103-112.