
Theses and Dissertations
Issuing Body
Mississippi State University
Advisor
Bhowmik, Tanmay
Committee Member
Gudla, Charan
Committee Member
Torri, Stephen
Committee Member
Chen, Zhiqian
Date of Degree
8-7-2025
Original embargo terms
Visible MSU Only 2 Years
Document Type
Dissertation - Campus Access Only
Major
Computer Science
Degree Name
Doctor of Philosophy (Ph.D.)
College
James Worth Bagley College of Engineering
Department
Department of Computer Science and Engineering
Abstract
With software vulnerabilities increasing at an alarming rate, the need for proactive detection during early development stages has become critical. Traditional approaches often rely on static or dynamic analysis after implementation, whereas emerging research explores vulnerability prediction during requirements engineering. One such approach, proposed by Imtiaz et al., introduces a Requirement-to-Vulnerability (R-to-V) mapping that links existing requirements to known vulnerabilities by leveraging their shared source code artifacts. While promising, this approach suffers from several limitations, including a small and non-reproducible dataset, coarse-grained file-level mappings, and low model performance due to noise and class imbalance. In addition, the real-world implications of such a proactive approach remain unexplored, as no studies have assessed its usability or usefulness in practical settings. This dissertation presents a multi-phase investigation into the feasibility and effectiveness of integrating vulnerability awareness early in the Software Development Life Cycle (SDLC). We begin by evaluating how information derived from an R-to-V mapping influences developers’ ability to write secure code. Through a human-subject study, we observe that developers, particularly those with limited professional experience, benefit from such early insights. We then explore the role of this vulnerability information in eliciting security requirements, demonstrating its broader usefulness beyond implementation. Building on these findings, we propose further improvements to the R-to-V mapping framework by generating a function-level mapping using artifacts from Mozilla Firefox, enhancing both label quality and dataset granularity. Using this dataset, we train and evaluate a range of machine learning models. By incorporating text-based features and ensemble techniques, we construct a refined framework capable of predicting vulnerability classes for new requirements. Our evaluation highlights significant improvements in macro-level performance, especially for rare vulnerability classes. Statistical testing confirms that the enhanced granularity and data quality contribute meaningfully to these gains. These findings suggest that integrating vulnerability prediction into requirements engineering not only supports early mitigation but also strengthens the foundation for secure software development. By enabling developers to identify potential risks before implementation, this approach promotes proactive security planning, reduces remediation costs, and supports the development of more robust systems.
Recommended Citation
Amin, Md Rayhan, "Predicting vulnerabilities in software requirements and their implications for secure development" (2025). Theses and Dissertations. 6608.
https://scholarsjunction.msstate.edu/td/6608