Investigating the use of Large Language Models in software security requirements: Results of a literature review

Amália Melo; Lucas Almeida; Lina Garcés

doi:10.5753/ise.2025.14892

Amália Melo USP
Lucas Almeida USP
Lina Garcés USP

DOI: https://doi.org/10.5753/ise.2025.14892

Abstract

This study investigates the application of Large Language Models (LLMs) in the context of security requirements engineering through the conduction of a rapid literature review. The review enabled the characterization of current research in this domain with respect to: (i) the purposes for which LLMs are employed in security requirements activities; (ii) the families of LLMs explored (e.g., GPT, BERT, LLaMA), their capabilities (e.g., classification, generation), and underlying architectures (e.g., encoder, decoder, encoder-decoder); (iii) the techniques adopted for conditioning or guiding LLM behavior; (iv) the datasets used to train, fine-tune, or validate these models; and (v) the evaluation metrics applied to assess the performance of LLMs in supporting security requirements tasks. The findings contribute to a structured understanding of the current state of research and highlight key trends, gaps, and opportunities for advancing the use of LLMs in secure software engineering.

Keywords: software requirements, security, LLM, Large Language Model, secondary study

References

Abdel-Jaouad Aberkane, S. V. Broucke, G. Poels, and Georgios Georgiadis. 2024. Leveraging ChatGPT for GDPR Compliance in Requirements Engineering: A Pilot Study. International Conference on Security, Privacy, and Anonymity in Computation, Communication, and Storage (2024). DOI: 10.1109/spaccs63173.2024.00012

Khubaib Amjad Alam, Hira Asif, Irum Inayat, and Saif Ur Rehman Khan. 2024. Automated Quality Concerns Extraction from User Stories and Acceptance Criteria for Early Architectural Decisions. European Conference on Software Architecture (2024). DOI: 10.1007/978-3-031-70797-1_24

Abdulrahim Alhaizaey and Majed Al-Mashari. 2025. Automated Classification and Identification of Non-Functional Requirements in Agile-Based Requirements Using Pre-Trained Language Models. IEEE Access (2025). DOI: 10.1109/access.2025.3570359

Waad Alhoshan, Alessio Ferrari, and Liping Zhao. 2023. Zero-shot learning for requirements classification: An exploratory study. null (2023). DOI: 10.1016/j.infsof.2023.107202

Jomar Thomas Almonte, Santhosh Anitha Boominathan, and Nathalia Nascimento. 2025. Automated Non-Functional Requirements Generation in Software Engineering with Large Language Models: A Comparative Study. arXiv.org (2025). DOI: 10.48550/arxiv.2503.15248

Ayah Alqurashi and Luay Alawneh. 2024. Stacked Ensemble Deep Learning for the Classification of Nonfunctional Requirements. IEEE Transactions on Reliability (2024). DOI: 10.1109/tr.2024.3513834

Valentina Alto. 2024. Building LLM Powered Applications: Create Intelligent Apps and Agents with Large Language Models. Packt Publishing.

Maurice H. Ter Beek, A. Fantechi, S. Gnesi, Gabriele Lenzini, and M. Petrocchi. 2024. Can AI Help with the Formalization of Railway Cybersecurity Requirements? Leveraging Applications of Formal Methods (2024). DOI: 10.1007/978-3-031-73709-1_12

Louis-François Bouchard and Louie Peters. 2024. Building LLMs for Production: Enhancing LLM Abilities and Reliability with Prompting, Fine-Tuning, and RAG. Publisher not specified.

B. Cartaxo, G. Pinto, and S. Soares. 2020. Rapid Reviews in Software Engineering. In Contemporary Empirical Methods in Software Engineering, M. Felderer and G. Travassos (Eds.). Springer, Cham. DOI: 10.1007/978-3-030-32489-6_13

E. Casalicchio and Alberto Cotumaccio. 2024. AI-CRAS: AI-driven Cloud Service Requirement Analysis and Specification. 2024 IEEE International Conference on Cloud Engineering (IC2E) (2024). DOI: 10.1109/ic2e61754.2024.00009

Fabiano Dalpiaz. 2018. Requirements data sets (user stories). DOI: 10.17632/7zbk8zsd8y.1

Amália Vitória de Melo, Lucas Almeida, and Lina Garcés. 2025. Investigating the use of Large Language Models in software security requirements: Results of a literature review. DOI: 10.5281/zenodo.16790764

Angela Fan, Beliz Gokkaya, Mark Harman, Mitya Lyubarskiy, Shubho Sengupta, Shin Yoo, and Jie M. Zhang. 2023. Large Language Models for Software Engineering: Survey and Open Problems . In 2023 IEEE/ACM International Conference on Software Engineering: Future of Software Engineering (ICSE-FoSE). IEEE Computer Society, Los Alamitos, CA, USA, 31–53. DOI: 10.1109/ICSEFoSE59343.2023.00008

Alessio Ferrari and Paola Spoletini. 2025. Formal requirements engineering and large language models: A two-way roadmap. Information and Software Technology 181 (2025), 107697. DOI: 10.1016/j.infsof.2025.107697

Jameleddine Hassine. 2024. An LLM-based Approach to Recover Traceability Links between Security Requirements and Goal Models. International Conference on Evaluation Assessment in Software Engineering (2024). DOI: 10.1145/3661167.3661261

Guntur Budi Herwanto, G. Quirchmayr, A. Tjoa, and Guntur Budi Herwanto. 2024. Leveraging NLP Techniques for Privacy Requirements Engineering in User Stories. IEEE Access (2024). DOI: 10.1109/access.2024.3364533

Tobias Hey, Tobias Hey, Jan Keim, Jan Keim, Anne Koziolek, Anne Koziolek, Anne Koziolek,Walter F. Tichy, andWalter F. Tichy. 2020. NoRBERT: Transfer Learning for Requirements Classification. IEEE International Requirements Engineering Conference (2020). DOI: 10.1109/re48521.2020.00028

Stefan Hirschmeier. 2024. CISO-BERT: Matching Information Security Requirements by Fine-Tuning the BERT Language Model. Hawaii International Conference on System Sciences (2024). DOI: 10.24251/hicss.2024.168

Xinyi Hou, Yanjie Zhao, Yue Liu, Zhou Yang, Kailong Wang, Li Li, Xiapu Luo, David Lo, John Grundy, and Haoyu Wang. 2024. Large Language Models for Software Engineering: A Systematic Literature Review. ACM Trans. Softw. Eng. Methodol. 33, 8, Article 220 (Dec. 2024), 79 pages. DOI: 10.1145/3695988

ISO. 2022. Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Technical Report. International Organization for Standardization.

ISO. 2024. Information technology — Security techniques — Privacy framework. Technical Report. International Organization for Standardization.

Paul Iusztin. 2024. LLM Engineer’s Handbook: Master the Art of Engineering Large Language Models from Concept to Production. Packt Publishing.

Rabi Jay. 2024. Generative AI Apps with Langchain and Python: A Project-Based Approach to Building Real-World LLM Apps. Apress.

Muhammad Amin Khan, Mohammad Sohail Khan, I.B. Khan, Shafiq Ahmad, and Shamsul Huda. 2023. Non Functional Requirements Identification and Classification Using Transfer Learning Model. IEEE Access (2023). DOI: 10.1109/access.2023.3295238

Hanyue Liu, Marina Bueno García, and Nikolaos Korkakakis. 2024. Exploring Multi-Label Data Augmentation for LLM Fine-Tuning and Inference in Requirements Engineering: A Study with Domain Expert Evaluation. In 2024 International Conference on Machine Learning and Applications (ICMLA). 432–439. DOI: 10.1109/ICMLA61862.2024.00064

Xianchang Luo, Yinxing Xue, Zhenchang Xing, and Jiamou Sun. 2022. PRCBERT: Prompt Learning for Requirement Classification using BERT-based Pretrained Language Models. International Conference on Automated Software Engineering (2022). DOI: 10.1145/3551349.3560417

Luca Petrillo, Fabio Martinelli, A. Santone, and F. Mercaldo. 2025. Explainable Security Requirements Classification Through Transformer Models. Future Internet (2025). DOI: 10.3390/fi17010015

Katia Romero Felizardo Scannavino, Elisa Yumi Nakagawa, Sandra Camargo Pinto Ferraz Fabbri, and Fabiano Cutigi Ferrari. 2017. Revisão Sistemática da Literatura em Engenharia de Software: teoria e prática. (2017).

Shaden Shaar, Nikolay Babulkov, Giovanni Da San Martino, and Preslav Nakov. 2020. That is a Known Lie: Detecting Previously Fact-Checked Claims. In Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics (ACL). Association for Computational Linguistics, 3607–3618. DOI: 10.18653/v1/2020.acl-main.332

Vasily Varenov, Vasily Varenov, Aydar Gabdrahmanov, and Aydar Gabdrahmanov. 2021. Security Requirements Classification into Groups Using NLP Transformers. 2021 IEEE 29th International Requirements Engineering Conference Workshops (REW) (2021). DOI: 10.1109/rew53955.2021.9714713

Prof. Riccardo COPPOLA Vittoria OCLEPPO. 2024-2025. Enhancing Requirements Engineering with Large Language Models: From Elicitation and Classification to Traceability, Ambiguity Management and API Recommendation. Ph.D. Dissertation. POLITECNICO DI TORINO.

Junjie Wang, Yuchao Huang, Chunyang Chen, Zhe Liu, Song Wang, and Qing Wang. 2024. Software Testing With Large Language Models: Survey, Landscape, and Vision. IEEE Trans. Softw. Eng. 50, 4 (April 2024), 911–936. DOI: 10.1109/TSE.2024.3368208

Georgia Xanthopoulou, Miltiadis Siavvas, Ilias Kalouptsoglou, Dionysios Kehagias, and Dimitrios Tzovaras. 2024. Software Requirements Classification: From Bag-of-Words to Transformer. In International Symposium on Distributed Computing and Artificial Intelligence. Springer, 370–380.