An Ontology-based Approach for Automatic Specification, Verification, and Validation of Software Security Requirements: Preliminary Results

Critical software vulnerabilities are often caused by incorrect, vague, or missing security requirements. Hence, there is a strong need in the software engineering community for tools that facilitate software engineers in eliciting and evaluating security requirements. Although several methods have been proposed for specifying, verifying, and validating security requirements, they require a lot of manual effort by requirement engineers, which hinders their practicality. To this end, we introduce a  software security requirements specification mechanism, able to automatically identify the main concepts of a given set of security requirements expressed in natural language. Our mechanism applies syntactic and semantic analysis in order to transform requirements into appropriately structured ontology objects. We also propose a software security requirements verification and validation mechanism, which compares a given security requirement to a curated list of well-defined security requirements based on similarity checks, identifies inconsistencies and proposes refinements. Both of the proposed mechanisms comprise standalone tools, implemented in the form of web services. The capabilities of the proposed mechanisms are demonstrated through a set of test cases.