Table of Contents
Fetching ...

Incorporating Verification Standards for Security Requirements Generation from Functional Specifications

Xiaoli Lian, Shuaisong Wang, Hanyu Zou, Fang Liu, Jiajun Wu, Li Zhang

TL;DR

The paper tackles the persistent challenge of automatically generating security requirements (SRs) from functional specifications (FRs) by grounding SR derivation in established security verification standards. It introduces F2SRD, a two-phase approach that first trains a VR retriever on FR-VR pairs derived from the OWASP ASVS standard, then uses retrieved VRs to prompt GPT-4 to produce SRs tailored to the FR context. The VR retriever demonstrates strong alignment with human judgments, while SR generation guided by relevant VRs yields higher inspiration, diversity, and specificity than RelGAN and standalone GPT-4, with both quantitative metrics and a human-subject study supporting these gains. The work also provides a reusable evaluation framework and publicly available data to foster further research in automated security requirements engineering.

Abstract

In the current software driven era, ensuring privacy and security is critical. Despite this, the specification of security requirements for software is still largely a manual and labor intensive process. Engineers are tasked with analyzing potential security threats based on functional requirements (FRs), a procedure prone to omissions and errors due to the expertise gap between cybersecurity experts and software engineers. To bridge this gap, we introduce F2SRD (Function to Security Requirements Derivation), an automated approach that proactively derives security requirements (SRs) from functional specifications under the guidance of relevant security verification requirements (VRs) drawn from the well recognized OWASP Application Security Verification Standard (ASVS). F2SRD operates in two main phases: Initially, we develop a VR retriever trained on a custom database of FR and VR pairs, enabling it to adeptly select applicable VRs from ASVS. This targeted retrieval informs the precise and actionable formulation of SRs. Subsequently, these VRs are used to construct structured prompts that direct GPT4 in generating SRs. Our comparative analysis against two established models demonstrates F2SRD's enhanced performance in producing SRs that excel in inspiration, diversity, and specificity essential attributes for effective security requirement generation. By leveraging security verification standards, we believe that the generated SRs are not only more focused but also resonate stronger with the needs of engineers.

Incorporating Verification Standards for Security Requirements Generation from Functional Specifications

TL;DR

The paper tackles the persistent challenge of automatically generating security requirements (SRs) from functional specifications (FRs) by grounding SR derivation in established security verification standards. It introduces F2SRD, a two-phase approach that first trains a VR retriever on FR-VR pairs derived from the OWASP ASVS standard, then uses retrieved VRs to prompt GPT-4 to produce SRs tailored to the FR context. The VR retriever demonstrates strong alignment with human judgments, while SR generation guided by relevant VRs yields higher inspiration, diversity, and specificity than RelGAN and standalone GPT-4, with both quantitative metrics and a human-subject study supporting these gains. The work also provides a reusable evaluation framework and publicly available data to foster further research in automated security requirements engineering.

Abstract

In the current software driven era, ensuring privacy and security is critical. Despite this, the specification of security requirements for software is still largely a manual and labor intensive process. Engineers are tasked with analyzing potential security threats based on functional requirements (FRs), a procedure prone to omissions and errors due to the expertise gap between cybersecurity experts and software engineers. To bridge this gap, we introduce F2SRD (Function to Security Requirements Derivation), an automated approach that proactively derives security requirements (SRs) from functional specifications under the guidance of relevant security verification requirements (VRs) drawn from the well recognized OWASP Application Security Verification Standard (ASVS). F2SRD operates in two main phases: Initially, we develop a VR retriever trained on a custom database of FR and VR pairs, enabling it to adeptly select applicable VRs from ASVS. This targeted retrieval informs the precise and actionable formulation of SRs. Subsequently, these VRs are used to construct structured prompts that direct GPT4 in generating SRs. Our comparative analysis against two established models demonstrates F2SRD's enhanced performance in producing SRs that excel in inspiration, diversity, and specificity essential attributes for effective security requirement generation. By leveraging security verification standards, we believe that the generated SRs are not only more focused but also resonate stronger with the needs of engineers.
Paper Structure (22 sections, 1 equation, 9 figures, 6 tables)

This paper contains 22 sections, 1 equation, 9 figures, 6 tables.

Figures (9)

  • Figure 1: Examples of GPT-4 Generating Generic Security Requirements for Diverse Functional Requirements.
  • Figure 2: An Example Demonstrating How the Paired VR Specifies Verification Criteria for the Given FR.
  • Figure 3: The Overview of F2SRD.
  • Figure 4: Data Synthesis Prompt Template Used in Step 1 of F2SRD.
  • Figure 5: SR Generation Prompt Used in Step 3 of F2SRD.
  • ...and 4 more figures