Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

Cyber attacks targeting software applications have a tremendous impact on our daily life. For example, attackers have utilized vulnerabilities of web applications to steal and gain unauthorized use of sensitive data stored in these systems. Previous studies indicate that security testing is highly precise, and therefore is widely applied to validate individual security requirements. However, dependencies between security requirements may cause additional vulnerabilities. Manual dependency detection faces scalability challenges, e.g., a previous study shows that the pairwise dependency analysis of 40 requirements would take around 12 hours. In this paper, we present a novel approach which integrates the interdependency among high-level security requirements, such as those documented in policies, regulations, and standards. We then use automated requirements tracing methods to identify product-level security requirements and their dependencies. Our manual analysis of HIPAA and FIPS 200 leads to the identification of five types of high-level security requirements dependencies, which further inform the automated tracing methods and guide the designs of system-level security tests. Experimental results on five projects in healthcare and education domains show the significant recall improvements at 81%. Our case study on a deployed production system uncovers four previously unknown vulnerabilities by using the detected requirements dependencies as test paths, demonstrating our approach’s value in connecting requirements engineering with security testing.

Thu 27 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

19:20 - 20:15
3.5.3. Security Vulnerabilities: General Issues #1NIER - New Ideas and Emerging Results / Journal-First Papers / Technical Track at Blended Sessions Room 3 +12h
Chair(s): Davide Fucci Blekinge Institute of Technology
19:20
20m
Paper
Technical Leverage in a Software Ecosystem: Development Opportunities and Security RisksTechnical Track
Technical Track
Fabio Massacci University of Trento and Vrije Universiteit Amsterdam, Ivan Pashchenko University of Trento
Pre-print Media Attached
19:40
15m
Short-paper
Secure Software Development in the Era of Fluid Multi-party Open Software and ServicesNIER
NIER - New Ideas and Emerging Results
Ivan Pashchenko University of Trento, Riccardo Scandariato Hamburg University of Technology, Antonino Sabetta SAP Security Research, Fabio Massacci University of Trento and Vrije Universiteit Amsterdam
Pre-print Media Attached
19:55
20m
Paper
Detecting Software Security Vulnerabilities via Requirements Dependency AnalysisJournal-First
Journal-First Papers
Wentao Wang University of Cincinnati, Faryn Dumont University of Cincinnati, Nan Niu University of Cincinnati, Glen Horton University of Cincinnati
DOI Pre-print Media Attached

Fri 28 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

07:20 - 08:15
07:20
20m
Paper
Technical Leverage in a Software Ecosystem: Development Opportunities and Security RisksTechnical Track
Technical Track
Fabio Massacci University of Trento and Vrije Universiteit Amsterdam, Ivan Pashchenko University of Trento
Pre-print Media Attached
07:40
15m
Short-paper
Secure Software Development in the Era of Fluid Multi-party Open Software and ServicesNIER
NIER - New Ideas and Emerging Results
Ivan Pashchenko University of Trento, Riccardo Scandariato Hamburg University of Technology, Antonino Sabetta SAP Security Research, Fabio Massacci University of Trento and Vrije Universiteit Amsterdam
Pre-print Media Attached
07:55
20m
Paper
Detecting Software Security Vulnerabilities via Requirements Dependency AnalysisJournal-First
Journal-First Papers
Wentao Wang University of Cincinnati, Faryn Dumont University of Cincinnati, Nan Niu University of Cincinnati, Glen Horton University of Cincinnati
DOI Pre-print Media Attached