An Approach for Reviewing Security-Related Aspects in Agile Requirements Specifications of Web Applications. Villamizar, H., Anderlin-Neto, A., Kalinowski, M., Garcia, A., & Fernández, D. M. In Proceedings of the 27th IEEE International Requirements Engineering Conference, RE'19, Jeju Island, South Korea, September 23-27, pages 86-97, 2019. Nominated for Distinguished Paper Award at RE'19! Paper used as basis for receiving the "Second Best Brazilian Software Quality M.Sc. Dissertation Award" at SBQS 2020 - Student: Hugo Villamizar, Advisor: Marcos Kalinowski
![An Approach for Reviewing Security-Related Aspects in Agile Requirements Specifications of Web Applications [pdf]](https://bibbase.org/img/filetypes/pdf.svg "pdf")
Author version doi abstract bibtex 13 downloads
Author version doi abstract bibtex 13 downloads Defects in requirements specifications can have severe consequences during the software development lifecycle. Some of them result in overall project failure due to incorrect or missing quality characteristics. Security is one of those quality characteristics that need to be considered in early phases. There are several concerns that make security difficult to deal with; for instance, (1) when stakeholders discuss general requirements in (review) meetings, they are often not aware that they should also discuss security-related topics, and in the rather rare cases they are aware (2), they typically do not have sufficient security expertise. This picture is even more challenging in agile development contexts, where lightweight documentation are typically involved. To address these issues, we designed an approach that considers user stories and security specifications as input and relates those user stories to security properties via Natural Language Processing (NLP) techniques. Based on the related security properties, our approach then identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified afterwards. In a last step, the verification of the generated security requirements is then conducted via a focused reading technique. We finally validate our approach via a controlled experiment comparing the effectiveness and efficiency of novice inspectors (we used two different groups of students) verifying security aspects in agile requirements using our generated reading techniques against using the complete list of OWASP high level security requirements and a the same list of defect types embedded in our technique. The (statistically significant) results indicate that using the reading technique has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency.
@inproceedings{VillamizarAKGM19,
author = {Hugo Villamizar and Amadeu Anderlin-Neto and Marcos Kalinowski and Alessandro Garcia and Daniel M{\'{e}}ndez Fern{\'{a}}ndez},
title = {An Approach for Reviewing Security-Related Aspects in Agile Requirements Specifications of Web Applications},
abstract = {Defects in requirements specifications can have severe consequences during the software development lifecycle. Some of them result in overall project failure due to incorrect or missing quality characteristics. Security is one of those quality characteristics that need to be considered in early phases. There are several concerns that make security difficult to deal with; for instance, (1) when stakeholders discuss general requirements in (review) meetings, they are often not aware that they should also discuss security-related topics, and in the rather rare cases they are aware (2), they typically do not have sufficient security expertise. This picture is even more challenging in agile development contexts, where lightweight documentation are typically involved. To address these issues, we designed an approach that considers user stories and security specifications as input and relates those user stories to security properties via Natural Language Processing (NLP) techniques. Based on the related security properties, our approach then identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified afterwards. In a last step, the verification of the generated security requirements is then conducted via a focused reading technique. We finally validate our approach via a controlled experiment comparing the effectiveness and efficiency of novice inspectors (we used two different groups of students) verifying security aspects in agile requirements using our generated reading techniques against using the complete list of OWASP high level security requirements and a the same list of defect types embedded in our technique. The (statistically significant) results indicate that using the reading technique has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency.},
booktitle = {Proceedings of the 27th {IEEE} International Requirements Engineering Conference, {RE'19}, Jeju Island, South Korea, September 23-27},
year = {2019},
note = {<font color="red">Nominated for Distinguished Paper Award at RE'19! Paper used as basis for receiving the "Second Best Brazilian Software Quality M.Sc. Dissertation Award" at SBQS 2020 - Student: Hugo Villamizar, Advisor: Marcos Kalinowski</font>},
pages = {86-97},
urlAuthor_version = {http://www.inf.puc-rio.br/~kalinowski/publications/VillamizarAKGM19.pdf},
doi = {10.1109/RE.2019.00020},
}Downloads: 13
{"_id":"pk3zRiXTebcDfX7f7","bibbaseid":"villamizar-anderlinneto-kalinowski-garcia-fernndez-anapproachforreviewingsecurityrelatedaspectsinagilerequirementsspecificationsofwebapplications-2019","authorIDs":["2B3zZtfuH9AmxpWuo","2QsG9mfJnwX6MTuoJ","2jrFxieEqzijPmHCy","49dv4suCFf46nEFSX","59a4710e2e4566ba6f00002f","5A6un3HSxZaPDiXPA","5BTmBrmMozf6YgG5J","5Xaa4eConBa76EZjB","5de815459b61e8de01000279","5dedbd05e47c43de01000074","5df2323f1e4fe9df010001ab","5df8262ddc1981de0100002b","5dfc0a4fb371afde010000ae","5e00d4f7ea72ecdf01000031","5e177d32cf35a4de010000b2","5e1c542be556c6de010000e5","5e24c7d1981ceddf01000056","5e273928557b88de0100018d","5e29e136888177df01000188","5e29e9bd8fb0e6de01000033","5e29ed5f8fb0e6de01000066","5e29edf08fb0e6de01000076","5e2f5ae926e5cadf0100022e","5e3731a0646a98de010001e3","5e3e9fdc8fc127df01000078","5e45b6010920e8de01000031","5e4dffdbcc196bde01000144","5e57fed4a38020de0100012b","5e5ea112c0a53dde010002a9","5e5f20398ca867de0100007b","5e5feba85241b5de01000152","5e612a1f97c182e901000006","5e62e7723ba99bdf0100011b","5e681423c1fce0de010003f7","5e6829e0dfcfe3de010002d5","5e68ed471a389bdf010002fe","5e692ffd6964dedf01000037","5e6a42a0e3f54ade0100021d","6QPwdbn4oBshmv7s4","6dqbLtPtqmDfPtn76","7NssSDosapMwtTvug","7qizdca9gsw4HKauB","7rCPkhvup9LNQxuFs","9qNKNW92qhDZCwqc9","9zsfZu5qMELTmAhjx","AKLEQwiRMbTHnbbxP","B3j35ujgEN7NnDuao","BC6rKyeyBW4rnvBoD","BEXQaGSxnsXwH6ywH","BWc4GQhzJPEzBWCii","BWrEB42G2rZBhMXWP","BoieZoFeBMJdL7szA","C3QHjz3o9QHY2KM5z","CDoE7ubzqSgQDw4No","D9yfAL4Cz9raPXGYt","DMAfbTM8MTudubAmg","E3kQ5FnruEw9rpydE","EQmGWRtm5iTqAJr79","EjYMP7BmZWnnCe2G9","Fjz6zCPk6dhrQh7ak","GfRgLSdsCnJcxHqk5","H9jTFvgcfA2frDvhj","J68AKX8noZCCaTSTC","JX7K3iwdPuCFmXLSK","KY7XQ7o9dYKbPfNvZ","LAPXFimEzgfLvJ3x5","NXfXCuu5e8PLD9tjP","NcXBcwHjnnYsqtJwj","P3xQviDsAA5Nyepbh","Q5HhB8XwWxviNHds8","QNZis6ZZX7Yjbx8dE","Qc6N7XXPtrqPpoz4E","SX7EYSkFddyzaBm6X","TEfrhfD2aFrBZaPoC","TdDrDsjDeT5x75mSb","X52u8rd5YXy5LA7un","XJLfEnjtpExqCJZaW","XMNYKpR8WAFvirRqK","XihJbHkzXLgRtNyxn","XsXTSrDqyDoKDSmNq","YqBvGBJjQxyDSh7S5","YyAJT6vXC6BKreqDz","Zrx3awt824zfj7sSq","auNZr9WLsGE5yM95y","dFvjKbaZaDAq7ckZJ","dPKdaA8smJs9fD9aK","e3dB4oaTL7GMfFgxK","eNvtiALsMm2uYYycD","eyyzX9y5xtqzMnTRj","gz3th4fHvqAew9t4d","hXHpEcrrfJ2s2iYfG","hdQfGGPRY6SRzm5Ko","iMFD4aggCkDpRbjzY","iSDp642Wcpz8tx3Et","idw5XK3YYZ9zoiTRQ","jQSpXNQ9zGdK9MNg5","jnzKc2JyGfzCkYHhd","juFRAZ7Ght5WjDjmL","k3N5QRHDiN6riZiAM","kd57C3edL7i8Wd84N","mfAwYkjQak83CbSTc","nrZNNBXjpC2enCsS6","o8dowv3jmQXqEKvC2","oab566NG74uXsBmwv","pAEkuNSzoQMJv6HEA","pPPN4e9LKJdN8Mxxy","pRJmqmExQ3P4YnarG","pcdRpqFz4kQKG67b2","peFdo2JYEZeDcgz5y","pmHQ27YZJtYA8bWLb","qRaeFjmTD9bcnWRpS","qujKQpt7j7DMJJ7RH","rhwhwtMA472RbPiq4","sgMZQR6tjyrtQJMjs","th5Bb6GjMT6NDynxY","tkio9AppMC7RRAmn3","up5b9JPmGJAE7cKzM","wE7ePiMnAtpNHo5xB","wjubqSThzCzkZtY4R","wuZMB8CeGEzZRou5r","x98pJyoike8bxbRn6","xSybShZMHQMQ8yMSF","xerEPhmhSdZJXb6QX","yqEQy2HisnquBmuLK","yvRZvxhXXSADSSiod","z8Hfj7RHYQjKdxD2H","zGAYQbmvDTTNydwuA"],"author_short":["Villamizar, H.","Anderlin-Neto, A.","Kalinowski, M.","Garcia, A.","Fernández, D. M."],"bibdata":{"bibtype":"inproceedings","type":"inproceedings","author":[{"firstnames":["Hugo"],"propositions":[],"lastnames":["Villamizar"],"suffixes":[]},{"firstnames":["Amadeu"],"propositions":[],"lastnames":["Anderlin-Neto"],"suffixes":[]},{"firstnames":["Marcos"],"propositions":[],"lastnames":["Kalinowski"],"suffixes":[]},{"firstnames":["Alessandro"],"propositions":[],"lastnames":["Garcia"],"suffixes":[]},{"firstnames":["Daniel","Méndez"],"propositions":[],"lastnames":["Fernández"],"suffixes":[]}],"title":"An Approach for Reviewing Security-Related Aspects in Agile Requirements Specifications of Web Applications","abstract":"Defects in requirements specifications can have severe consequences during the software development lifecycle. Some of them result in overall project failure due to incorrect or missing quality characteristics. Security is one of those quality characteristics that need to be considered in early phases. There are several concerns that make security difficult to deal with; for instance, (1) when stakeholders discuss general requirements in (review) meetings, they are often not aware that they should also discuss security-related topics, and in the rather rare cases they are aware (2), they typically do not have sufficient security expertise. This picture is even more challenging in agile development contexts, where lightweight documentation are typically involved. To address these issues, we designed an approach that considers user stories and security specifications as input and relates those user stories to security properties via Natural Language Processing (NLP) techniques. Based on the related security properties, our approach then identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified afterwards. In a last step, the verification of the generated security requirements is then conducted via a focused reading technique. We finally validate our approach via a controlled experiment comparing the effectiveness and efficiency of novice inspectors (we used two different groups of students) verifying security aspects in agile requirements using our generated reading techniques against using the complete list of OWASP high level security requirements and a the same list of defect types embedded in our technique. The (statistically significant) results indicate that using the reading technique has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency.","booktitle":"Proceedings of the 27th IEEE International Requirements Engineering Conference, RE'19, Jeju Island, South Korea, September 23-27","year":"2019","note":"<font color=\"red\">Nominated for Distinguished Paper Award at RE'19! Paper used as basis for receiving the \"Second Best Brazilian Software Quality M.Sc. Dissertation Award\" at SBQS 2020 - Student: Hugo Villamizar, Advisor: Marcos Kalinowski</font>","pages":"86-97","urlauthor_version":"http://www.inf.puc-rio.br/~kalinowski/publications/VillamizarAKGM19.pdf","doi":"10.1109/RE.2019.00020","bibtex":"@inproceedings{VillamizarAKGM19,\r\n author = {Hugo Villamizar and Amadeu Anderlin-Neto and Marcos Kalinowski and Alessandro Garcia and Daniel M{\\'{e}}ndez Fern{\\'{a}}ndez},\r\n title = {An Approach for Reviewing Security-Related Aspects in Agile Requirements Specifications of Web Applications},\r\n abstract = {Defects in requirements specifications can have severe consequences during the software development lifecycle. Some of them result in overall project failure due to incorrect or missing quality characteristics. Security is one of those quality characteristics that need to be considered in early phases. There are several concerns that make security difficult to deal with; for instance, (1) when stakeholders discuss general requirements in (review) meetings, they are often not aware that they should also discuss security-related topics, and in the rather rare cases they are aware (2), they typically do not have sufficient security expertise. This picture is even more challenging in agile development contexts, where lightweight documentation are typically involved. To address these issues, we designed an approach that considers user stories and security specifications as input and relates those user stories to security properties via Natural Language Processing (NLP) techniques. Based on the related security properties, our approach then identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified afterwards. In a last step, the verification of the generated security requirements is then conducted via a focused reading technique. We finally validate our approach via a controlled experiment comparing the effectiveness and efficiency of novice inspectors (we used two different groups of students) verifying security aspects in agile requirements using our generated reading techniques against using the complete list of OWASP high level security requirements and a the same list of defect types embedded in our technique. The (statistically significant) results indicate that using the reading technique has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency.},\r\n booktitle = {Proceedings of the 27th {IEEE} International Requirements Engineering Conference, {RE'19}, Jeju Island, South Korea, September 23-27},\r\n year = {2019},\r\n note = {<font color=\"red\">Nominated for Distinguished Paper Award at RE'19! Paper used as basis for receiving the \"Second Best Brazilian Software Quality M.Sc. Dissertation Award\" at SBQS 2020 - Student: Hugo Villamizar, Advisor: Marcos Kalinowski</font>}, \r\n pages = {86-97},\r\n urlAuthor_version = {http://www.inf.puc-rio.br/~kalinowski/publications/VillamizarAKGM19.pdf},\r\n doi = {10.1109/RE.2019.00020},\r\n} \r\n\r\n","author_short":["Villamizar, H.","Anderlin-Neto, A.","Kalinowski, M.","Garcia, A.","Fernández, D. M."],"key":"VillamizarAKGM19","id":"VillamizarAKGM19","bibbaseid":"villamizar-anderlinneto-kalinowski-garcia-fernndez-anapproachforreviewingsecurityrelatedaspectsinagilerequirementsspecificationsofwebapplications-2019","role":"author","urls":{"Author version":"http://www.inf.puc-rio.br/~kalinowski/publications/VillamizarAKGM19.pdf"},"metadata":{"authorlinks":{"kalinowski, m":"https://www-di.inf.puc-rio.br/~kalinowski/publications.html"}},"downloads":13,"html":""},"bibtype":"inproceedings","biburl":"https://bibbase.org/f/2Gq6bNPQ845THHiMW/KalinowskiPapers.bib","creationDate":"2019-06-26T19:22:26.595Z","downloads":13,"keywords":[],"search_terms":["approach","reviewing","security","related","aspects","agile","requirements","specifications","web","applications","villamizar","anderlin-neto","kalinowski","garcia","fernández"],"title":"An Approach for Reviewing Security-Related Aspects in Agile Requirements Specifications of Web Applications","year":2019,"dataSources":["JhEx5LqjNuowkDTYw","vp6ff9ZJkhXGDuh9E","FPdHx2YNMWt6KHbaS","oL8GbjE74fizfjkxY","Wbj3iHa4hGsGjEGJE","q7rgFjFgwoTSGkm3G","aKfxcyv7C9p9ytdpG","9pAzChfPy53GguqQk","B8Jierr7smZsGa7Jb","tvqztEQv84agmtPEB","FGDKYBjH9upApdKoL"]}