A Regression Model Based Approach for
Identifying Security Requirements in Open Source
Software Development
Wentao Wang
∗
, Nesrin Hussein
∗
, Arushi Gupta
∗
, and Yinglin Wang
†
∗
Department of Electrical Engineering and Computer Science, University of Cincinnati, USA
†
Department of Computer Science and Technology, Shanghai University of Finance and Economics, China
Email: {wang2wt, husseinm, gupta2ai}@mail.uc.edu, wang.yinglin@shufe.edu.cn
Abstract—There are several security requirements identifica-
tion methods proposed by researchers in up-front requirements
engnieering (RE). However, in open source software (OSS)
projects, developers use lightweight representation and refine
requirements frequently by writing comments. They also tend to
discuss security aspect in comments by providing code snippets,
attachments, and external resource links. Since most security
requirements identification methods in up-front RE are based
on textual information retrieval techniques, these methods are
not suitable for OSS projects or just-in-time RE. In our study,
we propose a new model based on logistic regression to identify
security requirements in OSS projects. We used five metrics to
build security requirements identification models and tested the
performance of these metrics by applying those models to three
OSS projects. Our results show that four out of five metrics
achieved high performance in intra-project testing.
Index Terms—Just-in-time requirements engineering, open
source software, security requirements identification.
I. INTRODUCTION
Security plays a critical role in ope source software (OSS).
Security refers to a class of non-functional requirements
(NFRs) related to system confidentiality, integrity, and avail-
ability [1]. Early detection of security requirements enables
them to be incorporated into the initial architectural design
instead of being refactored at a later date [2].
A considerable number of studies have been done on de-
tecting security requirements [3], [4]. However, they are labor
intensive. Cleland-Huang et al. [2] proposed NFR-classifier, an
automated approach based on information retrieval methods
for detecting and classifying NFRs . NFR-classifier consists
of two stages. In the first stage, a set of indicator terms
is identified from pre-identified security requirements. In the
second stage, indicator terms are used to query additional
security requirements. In traditional or up-front RE, NFR-
classifier can achieve high recall (80%) which measures the
percentage of NFRs that were correctly retrieved, but low
precision (20%) which measures the total number of correctly
retrieved NFRs with respect to the total number of retrieved
NFRs. In order to increase precision, Gibiec et al. [5] proposed
an automated approach for modifying the terms in the tracing
query. The results show that a significant portion of previously
hard-to-retrieve trace queries were improved by using this
method.
As a precursor to our work, we applied NFR-classifier to
three OSS projects. Unlike in [2], our results show that the
method can achieve relatively higher precision (15%-32%)
but relatively lower recall (50%-59%). We conclude that the
reason of lower recall is that, in OSS projects, security terms
are more likely appearing in comments instead of requirements
description. Therefore, only searching requirements descrip-
tion or statements will lead to more false negatives. In addition,
since comments contain much non-textual information such as
hyperlinks, images, and zip files, it is very hard to apply textual
mining methods directly to those information.
In this study, we investigate five metrics which can help au-
tomated retrieval of security requirements from OSS projects.
We performed empirical studies on three long-lived, widely-
used OSS projects. The results indicate that four out of five
metrics are discriminative of security requirements for all three
projects.
II. D
ATA COLLECTION
A. Datasets
In our study, we analyzed the requirements of three
OSS projects: Apache Axis2/Java (Axis2)
1
, Drools
2
, and
GeoServer
3
. We select these projects as the subject systems
due to three reasons. First, all of them are successful and long-
lived projects. Second, all resources including requirements
and source code are available. At last, all three projects are
web-based systems and security is one of the core aspects
of these projects, so identifying and realizing security re-
quirements are important tasks for developers of these three
projects.
These projects come from different application domains,
and all of them are written in Java. Axis2 is a web services
engine funded by Apache Software Foundation since August
2004. The newest version of Axis2 (1.7.4) was released
in December 2016. Drools is a business rule management
system developed by Red Hat. The latest stable release of
Drools is 6.5.0, which was published in December 2016.
GeoServer is a geographic system which allows users to edit
1
http://axis.apache.org/axis2/java/core/
2
https://www.drools.org
3
http://geoserver.org
2017 IEEE 25th International Requirements Engineering Conference Workshops
978-1-5386-3488-2/17 $31.00 © 2017 IEEE
DOI 10.1109/REW.2017.56
443
下载后可阅读完整内容,剩余3页未读,立即下载
weixin_38604330
- 粉丝: 6
- 资源: 950
我的内容管理
展开
最新资源
- 李兴华Java基础教程:从入门到精通
- U盘与硬盘启动安装教程:从菜鸟到专家
- C++面试宝典:动态内存管理与继承解析
- C++ STL源码深度解析:专家级剖析与关键技术
- C/C++调用DOS命令实战指南
- 神经网络补偿的多传感器航迹融合技术
- GIS中的大地坐标系与椭球体解析
- 海思Hi3515 H.264编解码处理器用户手册
- Oracle基础练习题与解答
- 谷歌地球3D建筑筛选新流程详解
- CFO与CIO携手:数据管理与企业增值的战略
- Eclipse IDE基础教程:从入门到精通
- Shell脚本专家宝典:全面学习与资源指南
- Tomcat安装指南:附带JDK配置步骤
- NA3003A电子水准仪数据格式解析与转换研究
- 自动化专业英语词汇精华:必备术语集锦
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
