An Automated Security Concerns Recommender Based on Use Case Specification Ontology

Identifying security concerns is a security activity that can be integrated into the requirements development phase. However, it has been shown that manually identifying concerns is a time-consuming and challenging task. The software engineering community has utilized natural language processing and query systems to automatically find part of the requirement specification with a specific concern. This research presents an ontology-based recommender system to suggest security concerns based on use case semantic rules and build on recent studies to find concerns in use cases. Our approach is to model use cases for interface design and map specific parts of use cases to the Application Security Verification Standard (ASVS) based on security concerns at the interaction steps of use cases. We conducted two evaluations, where we generated use case models from Restricted Use Case Modeling (RUCM) descriptions and then used semantic rules to infer where a specific security concern is in the use case models. These evaluations show that the recommender achieves up to 100% precision and recall for modeling use cases and recommending security concerns when the use case steps strictly adhere to rules for RUCM use cases. Otherwise, the modeling precision and recall will have arbitrary values, thus affecting the precision and recall for the recommended security concerns. As the main contribution, our approach can address security concerns for ASVS at the level of use case interaction steps.