Theses and Dissertations

Issuing Body

Mississippi State University

Advisor

Bhowmik, Tanmay

Committee Member

Gudla, Charan

Committee Member

Torri, Stephen

Committee Member

Chen, Zhiqian

Date of Degree

8-7-2025

Original embargo terms

Visible MSU Only 2 Years

Document Type

Dissertation - Campus Access Only

Major

Computer Science

Degree Name

Doctor of Philosophy (Ph.D.)

College

James Worth Bagley College of Engineering

Department

Department of Computer Science and Engineering

Abstract

With software vulnerabilities increasing at an alarming rate, the need for proactive detection during early development stages has become critical. Traditional approaches often rely on static or dynamic analysis after implementation, whereas emerging research explores vulnerability prediction during requirements engineering. One such approach, proposed by Imtiaz et al., introduces a Requirement-to-Vulnerability (R-to-V) mapping that links existing requirements to known vulnerabilities by leveraging their shared source code artifacts. While promising, this approach suffers from several limitations, including a small and non-reproducible dataset, coarse-grained file-level mappings, and low model performance due to noise and class imbalance. In addition, the real-world implications of such a proactive approach remain unexplored, as no studies have assessed its usability or usefulness in practical settings. This dissertation presents a multi-phase investigation into the feasibility and effectiveness of integrating vulnerability awareness early in the Software Development Life Cycle (SDLC). We begin by evaluating how information derived from an R-to-V mapping influences developers’ ability to write secure code. Through a human-subject study, we observe that developers, particularly those with limited professional experience, benefit from such early insights. We then explore the role of this vulnerability information in eliciting security requirements, demonstrating its broader usefulness beyond implementation. Building on these findings, we propose further improvements to the R-to-V mapping framework by generating a function-level mapping using artifacts from Mozilla Firefox, enhancing both label quality and dataset granularity. Using this dataset, we train and evaluate a range of machine learning models. By incorporating text-based features and ensemble techniques, we construct a refined framework capable of predicting vulnerability classes for new requirements. Our evaluation highlights significant improvements in macro-level performance, especially for rare vulnerability classes. Statistical testing confirms that the enhanced granularity and data quality contribute meaningfully to these gains. These findings suggest that integrating vulnerability prediction into requirements engineering not only supports early mitigation but also strengthens the foundation for secure software development. By enabling developers to identify potential risks before implementation, this approach promotes proactive security planning, reduces remediation costs, and supports the development of more robust systems.

Share

COinS