Detecting Software Security Vulnerabilities Via Requirements Dependency Analysis

Abstract

Cyber attacks targeting software applications have a tremendous impact on our daily life. For example, attackers have utilized vulnerabilities of web applications to steal and gain unauthorized use of sensitive data stored in these systems. Previous studies indicate that security testing is highly precise, and therefore is widely applied to validate individual security requirements. However, dependencies between security requirements may cause additional vulnerabilities. Manual dependency detection faces scalability challenges, e.g., a previous study shows that the pairwise dependency analysis of 40 requirements would take around 12 hours. In this article, we present a novel approach which integrates the interdependency among high-level security requirements, such as those documented in policies, regulations, and standards. We then use automated requirements tracing methods to identify product-level security requirements and their dependencies. Our manual analysis of HIPAA and FIPS 200 leads to the identification of five types of high-level security requirements dependencies, which further inform the automated tracing methods and guide the designs of system-level security tests. Experimental results on five projects in healthcare and education domains show the significant recall improvements at 81 percent. Our case study on a deployed production system uncovers four previously unknown vulnerabilities by using the detected requirements dependencies as test paths, demonstrating our approach's value in connecting requirements engineering with security testing.