Semantic Analysis for Identifying Security Concerns in Software Procurement Edicts
Brazilian Federal Institutions must acquire software tools by procurement, so their software teams have to develop, verify, and audit the specifications to ensure that the edicts properly include software security risks concerns. This work presents the Automated Analyst of Edicts tool, which aids th...
Saved in:
Published in | New generation computing Vol. 36; no. 1; pp. 21 - 40 |
---|---|
Main Authors | , |
Format | Journal Article |
Language | English |
Published |
Tokyo
Ohmsha
2018
Springer Nature B.V |
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | Brazilian Federal Institutions must acquire software tools by procurement, so their software teams have to develop, verify, and audit the specifications to ensure that the edicts properly include software security risks concerns. This work presents the Automated Analyst of Edicts tool, which aids the analysis of a document by automatic identification of absent relationships between its sentences and concepts related to software security risks or weaknesses. It was compared to software security experts’ performance for multi-label classification into five of the OWASP Top 10 risks. Specificity of over 80% was achieved when analyzing individual sentences for multiple risks, and a 90% negative prediction probability result obtained when applied to specific risk–sentence relationships. |
---|---|
ISSN: | 0288-3635 1882-7055 |
DOI: | 10.1007/s00354-017-0022-2 |