Finding Defects in Natural Language Confidentiality Requirements

Large-scale software systems must adhere to complex, multi-lateral security and privacy requirements from regulations. It is industrial practice to define such requirements in form of natural language (NL) documents. Currently existing approaches to analyzing NL confidentiality requirements rely on a manual linguistic transformation and normalization of the original text, prior to the analysis. This paper presents an alternative approach to analyzing requirements by using semantic annotations placed directly into the original NL documents. The benefits of this alternative approach are twofold: (1) it can effectively be supported by an interactive annotation tool and (2) there is a direct traceability between annotation structures and the original NL documents. We have evaluated our method and tool support using the same real-world case study that was used to evaluate the earlier linguistic approach. Our results show that our method generates the same results, i.e., it uncovers the same problems.