DeepAI
Log In Sign Up

An Efficient Approach for Reviewing Security-Related Aspects in Agile Requirements Specifications of Web Applications

09/06/2020
by   Hugo Villamizar, et al.
0

Defects in requirements specifications can have severe consequences during the software development lifecycle. Some of them may result in poor product quality and/or time and budget overruns due to incorrect or missing quality characteristics, such as security. This characteristic requires special attention in web applications because they have become a target for manipulating sensible data. Several concerns make security difficult to deal with. For instance, security requirements are often misunderstood and improperly specified due to lack of security expertise and emphasis on security during early stages of software development. This often leads to unspecified or ill-defined security-related aspects. These concerns become even more challenging in agile contexts, where lightweight documentation is typically produced. To tackle this problem, we designed an approach for reviewing security-related aspects in agile requirements specifications of web applications. Our proposal considers user stories and security specifications as inputs and relates those user stories to security properties via Natural Language Processing. Based on the related security properties, our approach identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified, and generates a reading technique to support reviewers in detecting defects. We evaluate our approach via three experiment trials conducted with 56 novice software engineers, measuring effectiveness, efficiency, usefulness, and ease of use. We compare our approach against using: (1) the OWASP high-level security requirements, and (2) a perspective-based approach as proposed in contemporary state of the art. The results strengthen our confidence that using our approach has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency.

READ FULL TEXT
06/27/2019

An Approach for Reviewing Security-Related Aspects in Agile Requirements Specifications of Web Applications

Defects in requirements specifications can have severe consequences duri...
11/23/2017

Software Development Under Stringent Hardware Constraints: Do Agile Methods Have a Chance?

Agile software development methods have been suggested as useful in many...
05/27/2021

How to Integrate Security Compliance Requirements with Agile Software Engineering at Scale?

Integrating security into agile software development is an open issue fo...
10/08/2021

A Framework for Aspectual Requirements Validation: An Experimental Study

Requirements engineering is a discipline of software engineering that is...
06/18/2021

Risk-Oriented Design Approach For Forensic-Ready Software Systems

Digital forensic investigation is a complex and time-consuming activity ...
03/09/2022

COMMAND: Certifiable Open Measurable Mandates

Security mandates today are often in the form of checklists and are gene...
02/02/2022

Detecting Privacy Requirements from User Stories with NLP Transfer Learning Models

To provide privacy-aware software systems, it is crucial to consider pri...