Artifacts: An Approach for Reviewing Security Related Apects in Agile Requirements Specifications of Web Applications

Abstract—Defects in requirements specifications can have severe consequences during the software development lifecycle. Some of them result in overall project failure due to incorrect or missing quality characteristics. Security is one of those uality characteristics that need to be considered in early phases. There are several concerns that make security difficult to deal with; for instance, (1) when stakeholders discuss general requirements in (review) meetings, they are often not aware that they should also discuss security-related topics, and in the rather rare cases they are aware (2), they typically do not have sufficient security expertise. This picture is even more challenging in agile development contexts, where lightweight documentation are typically involved. To address these issues, we designed an approach that considers user stories and security specifications as input and relates those user stories to security properties via Natural Language Processing (NLP) techniques. Based on the related security properties, our approach then identifies high-level security requirements from the Open Web Application Security Project (OWASP) to be verified afterwards. In a last step, the verification of the generated security requirements is then conducted via a focused reading technique. We finally validate our approach via a controlled experiment comparing the effectiveness and efficiency of novice inspectors (we used two different groups of students) verifying security aspects in agile requirements using our generated reading techniques against using the complete list of OWASP high level security requirements and a the same list of defect types embedded in our technique. The (statistically significant) results indicate that using the reading technique has a positive impact (with large effect size) on the performance of inspectors in terms of effectiveness and efficiency. This repository also contains: Artifacts used and results of the experimental study of the paper entitled "An Approach for Reviewing Security Related Apects in Agile Requirements Specifications of Web Applications".