Finding Quality Problems In Security Requirements Using NALABS

Abstract: Security can be informally defined as the freedom from the conditions that cause a loss of assets. Security requirements are the ways that stakeholders, involved in a software engineering project, specify security in the end product. Requirements can be specified using Natural Language (NL) which comes with inherent ambiguity and vagueness in the form of “smells." These smells can hint at problems in meeting these requirements. In this thesis, we study 12 different smells built into a natural language processing (NLP) tool called NALABS. A quantitative study of 661 security requirements contained in 46 documents spanning the past 27 years from three public repositories was analyzed using NALABS. Our results suggest that security requirements have a presence of certain smells while almost no presence of others. The ones that showed a significant presence in the data were the Number of Conjunctions (NC), Vagueness (NV), Imperatives (NI1 and NI2), and Continuances (CT). Requirements with these smells skewed towards 0 to 2 instances in 75% of the requirements. All requirements showed a word count of up to 50 words and a generally difficult reading level. The results found mainly nine correlations between smell indicators, where five showed a strong relationship with the number of words. These results lead us to the conclusion that the presence of smells in NL security requirements is problematic, but it is not as widespread as initially believed. The most common problem in security requirements is a generally difficult reading level.