Can we use LLMs to recover Trace Links between Source Code and Security Requirements?

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Autorschaft

Organisationseinheiten

Externe Organisationen

  • Universität Koblenz (UK)
  • Fraunhofer-Institut für Software- und Systemtechnik (ISST), Institutsteil Dortmund
Forschungs-netzwerk anzeigen

Details

OriginalspracheEnglisch
Titel des SammelwerksProceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025
Herausgeber (Verlag)Institute of Electrical and Electronics Engineers Inc.
Seiten223-232
Seitenumfang10
ISBN (elektronisch)9798331538347
ISBN (Print)979-8-3315-3835-4
PublikationsstatusVeröffentlicht - 1 Sept. 2025
Veranstaltung33rd IEEE International Requirements Engineering Conference Workshops, REW 2025 - Valencia, Spanien
Dauer: 1 Sept. 20255 Sept. 2025

Publikationsreihe

NameProceedings -International Requirements Engineering Conference Workshops
ISSN (Print)2770-6826
ISSN (elektronisch)2770-6834

Abstract

In software development, many different artifacts are created during the process. At the beginning, requirements for the respective software are defined and then written down in a specification. This is followed by other artifacts, such as source code, test cases, or various UML diagrams. Different standards, including ISO 26262 for the automotive industry, require that safety and security requirements be explicitly traced for these different artifacts. However, tracing of requirements in source code is very time-consuming, error-prone, and costly. To reduce the effort involved, various approaches have been developed that use different techniques, such as information retrieval or machine learning, to automate this process. However, these approaches also have problems, so that practical use, especially in safety and security domains, is limited. In this paper, we have therefore developed a plugin for VSCode and a new approach based on LLMs to recover trace links between safety and security requirements and source code. Our results show that the used LLMs are capable of performing this task because they have both code and textual understanding. In various combinations, Llama showed satisfying results in terms of precision (0.8).

ASJC Scopus Sachgebiete

Zitieren

Can we use LLMs to recover Trace Links between Source Code and Security Requirements? / Paßlack, Jan Marc; Specht, Alexander; Herrmann, Marc et al.
Proceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025. Institute of Electrical and Electronics Engineers Inc., 2025. S. 223-232 (Proceedings -International Requirements Engineering Conference Workshops).

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Paßlack, JM, Specht, A, Herrmann, M, Elsofi, DAA, Ehl, M, Großer, K, Jürjens, J & Schneider, K 2025, Can we use LLMs to recover Trace Links between Source Code and Security Requirements? in Proceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025. Proceedings -International Requirements Engineering Conference Workshops, Institute of Electrical and Electronics Engineers Inc., S. 223-232, 33rd IEEE International Requirements Engineering Conference Workshops, REW 2025, Valencia, Spanien, 1 Sept. 2025. https://doi.org/10.1109/REW66121.2025.00035
Paßlack, J. M., Specht, A., Herrmann, M., Elsofi, D. A. A., Ehl, M., Großer, K., Jürjens, J., & Schneider, K. (2025). Can we use LLMs to recover Trace Links between Source Code and Security Requirements? In Proceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025 (S. 223-232). (Proceedings -International Requirements Engineering Conference Workshops). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/REW66121.2025.00035
Paßlack JM, Specht A, Herrmann M, Elsofi DAA, Ehl M, Großer K et al. Can we use LLMs to recover Trace Links between Source Code and Security Requirements? in Proceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025. Institute of Electrical and Electronics Engineers Inc. 2025. S. 223-232. (Proceedings -International Requirements Engineering Conference Workshops). doi: 10.1109/REW66121.2025.00035
Paßlack, Jan Marc ; Specht, Alexander ; Herrmann, Marc et al. / Can we use LLMs to recover Trace Links between Source Code and Security Requirements?. Proceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025. Institute of Electrical and Electronics Engineers Inc., 2025. S. 223-232 (Proceedings -International Requirements Engineering Conference Workshops).
Download
@inproceedings{6c9bbe61ff2e4f88b9e843f6cc1ac7b1,
title = "Can we use LLMs to recover Trace Links between Source Code and Security Requirements?",
abstract = "In software development, many different artifacts are created during the process. At the beginning, requirements for the respective software are defined and then written down in a specification. This is followed by other artifacts, such as source code, test cases, or various UML diagrams. Different standards, including ISO 26262 for the automotive industry, require that safety and security requirements be explicitly traced for these different artifacts. However, tracing of requirements in source code is very time-consuming, error-prone, and costly. To reduce the effort involved, various approaches have been developed that use different techniques, such as information retrieval or machine learning, to automate this process. However, these approaches also have problems, so that practical use, especially in safety and security domains, is limited. In this paper, we have therefore developed a plugin for VSCode and a new approach based on LLMs to recover trace links between safety and security requirements and source code. Our results show that the used LLMs are capable of performing this task because they have both code and textual understanding. In various combinations, Llama showed satisfying results in terms of precision (0.8).",
keywords = "Large Language Models, Safety Requirements, Security Requirements, Source Code, Tracing",
author = "Pa{\ss}lack, {Jan Marc} and Alexander Specht and Marc Herrmann and Elsofi, {Duaa Adel Ali} and Marco Ehl and Katharina Gro{\ss}er and Jan J{\"u}rjens and Kurt Schneider",
note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 33rd IEEE International Requirements Engineering Conference Workshops, REW 2025, REW 2025 ; Conference date: 01-09-2025 Through 05-09-2025",
year = "2025",
month = sep,
day = "1",
doi = "10.1109/REW66121.2025.00035",
language = "English",
isbn = "979-8-3315-3835-4",
series = "Proceedings -International Requirements Engineering Conference Workshops",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "223--232",
booktitle = "Proceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025",
address = "United States",

}

Download

TY - GEN

T1 - Can we use LLMs to recover Trace Links between Source Code and Security Requirements?

AU - Paßlack, Jan Marc

AU - Specht, Alexander

AU - Herrmann, Marc

AU - Elsofi, Duaa Adel Ali

AU - Ehl, Marco

AU - Großer, Katharina

AU - Jürjens, Jan

AU - Schneider, Kurt

N1 - Publisher Copyright: © 2025 IEEE.

PY - 2025/9/1

Y1 - 2025/9/1

N2 - In software development, many different artifacts are created during the process. At the beginning, requirements for the respective software are defined and then written down in a specification. This is followed by other artifacts, such as source code, test cases, or various UML diagrams. Different standards, including ISO 26262 for the automotive industry, require that safety and security requirements be explicitly traced for these different artifacts. However, tracing of requirements in source code is very time-consuming, error-prone, and costly. To reduce the effort involved, various approaches have been developed that use different techniques, such as information retrieval or machine learning, to automate this process. However, these approaches also have problems, so that practical use, especially in safety and security domains, is limited. In this paper, we have therefore developed a plugin for VSCode and a new approach based on LLMs to recover trace links between safety and security requirements and source code. Our results show that the used LLMs are capable of performing this task because they have both code and textual understanding. In various combinations, Llama showed satisfying results in terms of precision (0.8).

AB - In software development, many different artifacts are created during the process. At the beginning, requirements for the respective software are defined and then written down in a specification. This is followed by other artifacts, such as source code, test cases, or various UML diagrams. Different standards, including ISO 26262 for the automotive industry, require that safety and security requirements be explicitly traced for these different artifacts. However, tracing of requirements in source code is very time-consuming, error-prone, and costly. To reduce the effort involved, various approaches have been developed that use different techniques, such as information retrieval or machine learning, to automate this process. However, these approaches also have problems, so that practical use, especially in safety and security domains, is limited. In this paper, we have therefore developed a plugin for VSCode and a new approach based on LLMs to recover trace links between safety and security requirements and source code. Our results show that the used LLMs are capable of performing this task because they have both code and textual understanding. In various combinations, Llama showed satisfying results in terms of precision (0.8).

KW - Large Language Models

KW - Safety Requirements

KW - Security Requirements

KW - Source Code

KW - Tracing

UR - http://www.scopus.com/inward/record.url?scp=105020905218&partnerID=8YFLogxK

U2 - 10.1109/REW66121.2025.00035

DO - 10.1109/REW66121.2025.00035

M3 - Conference contribution

AN - SCOPUS:105020905218

SN - 979-8-3315-3835-4

T3 - Proceedings -International Requirements Engineering Conference Workshops

SP - 223

EP - 232

BT - Proceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 33rd IEEE International Requirements Engineering Conference Workshops, REW 2025

Y2 - 1 September 2025 through 5 September 2025

ER -

Von denselben Autoren

  1. From missile warhead to smart fridge: Interviews with industry experts on tracing safety- and security-relevant artifacts

    Publikation: Beitrag in FachzeitschriftArtikelForschungPeer-Review

  2. A German Gold-Standard Dataset for Sentiment Analysis in Software Engineering

    Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

  3. Aligning AI Systems with Human Values

    Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

  4. Automatic Generation of Explainability Requirements and Software Explanations From User Reviews

    Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

  5. From App Features to Explanation Needs: Analyzing Correlations and Predictive Potential

    Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review