References of "Mai, Xuan Phu 50023577"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailA Natural Language Programming Approach for Requirements-based Security Testing
Mai, Xuan Phu UL; Pastore, Fabrizio UL; Göknil, Arda UL et al

in Mai, Xuan Phu; Pastore, Fabrizio; Göknil, Arda (Eds.) et al A Natural Language Programming Approach for Requirements-based Security Testing (2018)

To facilitate communication among stakeholders, software security requirements are typically written in natural language and capture both positive requirements (i.e., what the system is supposed to do to ... [more ▼]

To facilitate communication among stakeholders, software security requirements are typically written in natural language and capture both positive requirements (i.e., what the system is supposed to do to ensure security) and negative requirements (i.e., undesirable behavior undermining security). In this paper, we tackle the problem of automatically generat- ing executable security test cases from security requirements in natural language (NL). More precisely, since existing approaches for the generation of test cases from NL requirements verify only positive requirements, we focus on the problem of generating test cases from negative requirements. We propose, apply and assess Misuse Case Programming (MCP), an approach that automatically generates security test cases from misuse case specifications (i.e., use case specifications capturing the behavior of malicious users). MCP relies on natural language processing techniques to extract the concepts (e.g., inputs and activities) appearing in requirements specifications and generates executable test cases by matching the extracted concepts to the members of a provided test driver API. MCP has been evaluated in an industrial case study, which provides initial evidence of the feasibility and benefits of the approach. [less ▲]

Detailed reference viewed: 122 (10 UL)
Full Text
Peer Reviewed
See detailModeling Security and Privacy Requirements: a Use Case-Driven Approach
Mai, Xuan Phu UL; Göknil, Arda UL; Shar, Lwin Khin et al

in Information and Software Technology (2018), 100

Context: Modern internet-based services, ranging from food-delivery to home-caring, leverage the availability of multiple programmable devices to provide handy services tailored to end-user needs. These ... [more ▼]

Context: Modern internet-based services, ranging from food-delivery to home-caring, leverage the availability of multiple programmable devices to provide handy services tailored to end-user needs. These services are delivered through an ecosystem of device-specific software components and interfaces (e.g., mobile and wearable device applications). Since they often handle private information (e.g., location and health status), their security and privacy requirements are of crucial importance. Defining and analyzing those requirements is a significant challenge due to the multiple types of software components and devices integrated into software ecosystems. Each software component presents peculiarities that often depend on the context and the devices the component interact with, and that must be considered when dealing with security and privacy requirements. Objective: In this paper, we propose, apply, and assess a modeling method that supports the specification of security and privacy requirements in a structured and analyzable form. Our motivation is that, in many contexts, use cases are common practice for the elicitation of functional requirements and should also be adapted for describing security requirements. Method: We integrate an existing approach for modeling security and privacy requirements in terms of security threats, their mitigations, and their relations to use cases in a misuse case diagram. We introduce new security-related templates, i.e., a mitigation template and a misuse case template for specifying mitigation schemes and misuse case specifications in a structured and analyzable manner. Natural language processing can then be used to automatically report inconsistencies among artifacts and between the templates and specifications. Results: We successfully applied our approach to an industrial healthcare project and report lessons learned and results from structured interviews with engineers. Conclusion: Since our approach supports the precise specification and analysis of security threats, threat scenarios and their mitigations, it also supports decision making and the analysis of compliance to standards. [less ▲]

Detailed reference viewed: 64 (7 UL)
Full Text
See detailModeling Security and Privacy Requirements for Mobile Applications: a Use Case-driven Approach
Mai, Xuan Phu UL; Göknil, Arda UL; Shar, Lwin Khin UL et al

Report (2017)

Defining and addressing security and privacy requirements in mobile apps is a significant challenge due to the high level of transparency regarding users' (private) information. In this paper, we propose ... [more ▼]

Defining and addressing security and privacy requirements in mobile apps is a significant challenge due to the high level of transparency regarding users' (private) information. In this paper, we propose, apply, and assess a modeling method that supports the specification of security and privacy requirements of mobile apps in a structured and analyzable form. Our motivation is that, in many contexts including mobile app development, use cases are common practice for the elicitation and analysis of functional requirements and should also be adapted for describing security requirements. We integrate and adapt an existing approach for modeling security and privacy requirements in terms of security threats, their mitigations, and their relations to use cases in a misuse case diagram. We introduce new security-related templates, i.e., a mitigation template and a misuse case template for specifying mitigation schemes and misuse case specifications in a structured and analyzable manner. Natural language processing can then be used to automatically detect and report inconsistencies among artifacts and between the templates and specifications. Since our approach supports stakeholders in precisely specifying and checking security threats, threat scenarios and their mitigations, it is expected to help with decision making and compliance with standards for improving security. We successfully applied our approach to industrial mobile apps and report lessons learned and results from structured interviews with engineers. [less ▲]

Detailed reference viewed: 256 (27 UL)