A Regression Model Based Approach for Identifying Security Requirements in Open Source Software Development

There are several security requirements identification methods proposed by researchers in up-front requirements engineering (RE). However, in open source software (OSS) projects, developers use lightweight representation and refine requirements frequently by writing comments. They also tend to discuss security aspect in comments by providing code snippets, attachments, and external resource links. Since most security requirements identification methods in up-front RE are based on textual information retrieval techniques, these methods are not suitable for OSS projects or just-in-time RE. In our study, we propose a new model based on logistic regression to identify security requirements in OSS projects. We used five metrics to build security requirements identification models and tested the performance of these metrics by applying those models to three OSS projects. Our results show that four out of five metrics achieved high performance in intra-project testing.

[1]  Bruce Schneier,et al.  Beyond fear - thinking sensibly about security in an uncertain world , 2003 .

[2]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[3]  Nuno Silva,et al.  Errors on Space Software Requirements: A Field Study and Application Scenarios , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[4]  Jane Cleland-Huang,et al.  Towards mining replacement queries for hard-to-retrieve traces , 2010, ASE.

[5]  Nan Niu,et al.  Unified Profiling of Attackers via Domain Modeling , 2016, 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW).

[6]  Bart Baesens,et al.  Benchmarking Classification Models for Software Defect Prediction: A Proposed Framework and Novel Findings , 2008, IEEE Transactions on Software Engineering.

[7]  Neil A. Ernst,et al.  Aspects across Software Life Cycle: A Goal-Driven Approach , 2009, LNCS Trans. Aspect Oriented Softw. Dev..

[8]  Neil A. Ernst,et al.  Case studies in just-in-time requirements analysis , 2012, 2012 Second IEEE International Workshop on Empirical Requirements Engineering (EmpiRE).

[9]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[10]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[11]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[12]  Jane Cleland-Huang,et al.  Automated classification of non-functional requirements , 2007, Requirements Engineering.

[13]  Zhendong Niu,et al.  Automatically Tracing Dependability Requirements via Term-Based Relevance Feedback , 2018, IEEE Transactions on Industrial Informatics.

[14]  Nan Niu,et al.  Analysis of Early Aspects in Requirements Goal Models: A Concept-Driven Approach , 2007, LNCS Trans. Aspect Oriented Softw. Dev..