TY - GEN
T1 - A Natural Language Programming Approach for Requirements-Based Security Testing
AU - Mai, Phu X.
AU - Pastore, Fabrizio
AU - Goknil, Arda
AU - Briand, Lionel C.
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/11/16
Y1 - 2018/11/16
N2 - To facilitate communication among stakeholders, software security requirements are typically written in natural language and capture both positive requirements (i.e., what the system is supposed to do to ensure security) and negative requirements (i.e., undesirable behavior undermining security). In this paper, we tackle the problem of automatically generating executable security test cases from security requirements in natural language (NL). More precisely, since existing approaches for the generation of test cases from NL requirements verify only positive requirements, we focus on the problem of generating test cases from negative requirements. We propose, apply and assess Misuse Case Programming (MCP), an approach that automatically generates security test cases from misuse case specifications (i.e., use case specifications capturing the behavior of malicious users). MCP relies on natural language processing techniques to extract the concepts (e.g., inputs and activities) appearing in requirements specifications and generates executable test cases by matching the extracted concepts to the members of a provided test driver API. MCP has been evaluated in an industrial case study, which provides initial evidence of the feasibility and benefits of the approach.
AB - To facilitate communication among stakeholders, software security requirements are typically written in natural language and capture both positive requirements (i.e., what the system is supposed to do to ensure security) and negative requirements (i.e., undesirable behavior undermining security). In this paper, we tackle the problem of automatically generating executable security test cases from security requirements in natural language (NL). More precisely, since existing approaches for the generation of test cases from NL requirements verify only positive requirements, we focus on the problem of generating test cases from negative requirements. We propose, apply and assess Misuse Case Programming (MCP), an approach that automatically generates security test cases from misuse case specifications (i.e., use case specifications capturing the behavior of malicious users). MCP relies on natural language processing techniques to extract the concepts (e.g., inputs and activities) appearing in requirements specifications and generates executable test cases by matching the extracted concepts to the members of a provided test driver API. MCP has been evaluated in an industrial case study, which provides initial evidence of the feasibility and benefits of the approach.
KW - Natural Language Processing
KW - Natural Language Programming
KW - Natural Language Requirements
KW - System Security Testing
UR - http://www.scopus.com/inward/record.url?scp=85059605040&partnerID=8YFLogxK
U2 - 10.1109/ISSRE.2018.00017
DO - 10.1109/ISSRE.2018.00017
M3 - Conference contribution
AN - SCOPUS:85059605040
T3 - Proceedings - International Symposium on Software Reliability Engineering, ISSRE
SP - 58
EP - 69
BT - Proceedings - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018
A2 - Ghosh, Sudipto
A2 - Cukic, Bojan
A2 - Poston, Robin
A2 - Natella, Roberto
A2 - Laranjeiro, Nuno
PB - IEEE Computer Society
T2 - 29th IEEE International Symposium on Software Reliability Engineering, ISSRE 2018
Y2 - 15 October 2018 through 18 October 2018
ER -