Incorporating Verification Standards for Security Requirements Generation from Functional Specifications

TL;DR

This paper presents F2SRD, an automated method that derives security requirements from functional specifications using security verification standards and GPT-4, improving accuracy and relevance in security requirement generation.

Contribution

Introduction of F2SRD, a novel automated approach that leverages security verification standards and GPT-4 to generate security requirements from functional specifications.

Findings

F2SRD outperforms existing models in diversity and specificity of generated security requirements.

The VR retriever effectively selects relevant security verification requirements from ASVS.

Automated SR generation reduces manual effort and improves consistency.

Abstract

In the current software driven era, ensuring privacy and security is critical. Despite this, the specification of security requirements for software is still largely a manual and labor intensive process. Engineers are tasked with analyzing potential security threats based on functional requirements (FRs), a procedure prone to omissions and errors due to the expertise gap between cybersecurity experts and software engineers. To bridge this gap, we introduce F2SRD (Function to Security Requirements Derivation), an automated approach that proactively derives security requirements (SRs) from functional specifications under the guidance of relevant security verification requirements (VRs) drawn from the well recognized OWASP Application Security Verification Standard (ASVS). F2SRD operates in two main phases: Initially, we develop a VR retriever trained on a custom database of FR and VR pairs, enabling it to adeptly select applicable VRs from ASVS. This targeted retrieval informs the precise and actionable formulation of SRs. Subsequently, these VRs are used to construct structured prompts that direct GPT4 in generating SRs. Our comparative analysis against two established models demonstrates F2SRD's enhanced performance in producing SRs that excel in inspiration, diversity, and specificity essential attributes for effective security requirement generation. By leveraging security verification standards, we believe that the generated SRs are not only more focused but also resonate stronger with the needs of engineers.