A group of UTSA researchers is investigating how a new automated approach could be used to prevent software security vulnerabilities. The team intended to create a deep learning model that could train the software on how to automatically extract security policies.
Unlike traditional software development models, the agile software development process is intended to deliver software more quickly, eradicating the requirement for lengthy paperwork and changing software requirements. The only required documentation is user stories, which are specifications that define the software's requirements. However, the fundamental practises of this method, such as frequent code changes, restrict the capacity to perform security assurance evaluations.
Ram Krishnan, associate professor in the UTSA Department of Electrical and Computer Engineering stated, “The basic idea of addressing this disconnect between security policies and agile software development came from happenstance conversation with software leaders in the industry.”
Before arriving on a deep learning strategy that can handle several formats of user stories, the researchers looked at various machine learning approaches.
To conduct the prediction, the model is composed of three parts: access control classifications, named entity recognition, and access type classification. The software uses access control classification to determine whether or not user stories contain access control information. The actors and data objects in the storey are identified by a named entity. The link between the two is determined by the access type classification. To evaluate their approach, the researchers used a data collection of 21 online applications, each with 50-130 user stories (a total of 1,600).
Krishnan stated, “With a dataset of 1,600 user stories, we developed a learning model based on transformers, a powerful machine learning technique. We were able to extract security policies with good accuracy and visualize the results to help stakeholders better refine user stories and maintain an overview of the system’s access control.”
According to Krishnan, this unique new method will be a valuable tool in the modern agile software development life cycle. A manual method of extracting security policies would be error-prone and costly because agile software development focuses on incremental modifications to code. It is just another area where machine learning and artificial intelligence have proven to be effective.
He further added, “We recognize that there is little additional information about access control that can be extracted or determined directly from user stories in a fully automated approach. That means it is difficult, or impossible, to determine a software’s exact access control from user stories without human involvement. We plan to extend our approach to make it interactive with stakeholders so that they can help refine the access control information.”