nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

Factors Impacting the Effort Required to Fix Security Vulnerabilities

An Industrial Case Study

verfasst von : Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, Achim D. Brucker, Philip Miseldine

Erschienen in: Information Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

To what extent do investments in secure software engineering pay off? Right now, many development companies are trying to answer this important question. A change to a secure development lifecycle can pay off if it decreases significantly the time, and therefore the cost required to find, fix and address security vulnerabilities. But what are the factors involved and what influence do they have? This paper reports about a qualitative study conducted at SAP to identify the factors that impact the vulnerability fix time. The study involves interviews with 12 security experts. Through these interviews, we identified 65 factors that fall into classes which include, beside the vulnerabilities characteristics, the structure of the software involved, the diversity of the used technologies, the smoothness of the communication and collaboration, the availability and quality of information and documentation, the expertise and knowledge of developers, and the quality of the code analysis tools. These results will be an input to a planned quantitative study to evaluate and predict how changes to the secure software development lifecycle will likely impact the effort to fix security vulnerabilities.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Dynamically Provisioning Isolation in Hierarchical Architectures

Nächstes Kapitel Software Security Maturity in Public Organisations

Nur mit Berechtigung zugänglich

Among other things, the duration includes the time the defect is in the repair queue after being assigned to a developer.

https://www.audiotranskription.de/english/f4.htm.

A code is a short phrase that assigns a summative, essence-capturing, and/or evocative attribute for a portion of text [15].

http://atlasti.com/.

The merge involves also discussing coding mismatches related to the difference in understanding the interviewee.

Recall that data extracted from interviews could not be used to derive statistical assurance of the conclusions since the collected information is descriptive.

This mitigates the threat ambiguity of the direction of the causality relationship.

The limitation is related to the selection of participants.

“What” type of questions are easy to answer when the purpose is to describe a concept/object.

Katzeff, P.: Hacking epidemic spurs security software stocks, February 2015. Investor’s business daily of 02/19/2015. http://news.investors.com/investing-mutual-funds/021915-740082-revenues-are-up-for-security-software-firms.htm

McGraw, G.: Software Security: Building Security In. Addison-Wesley Software Security Series. Pearson Education Inc., Boston (2006)

Bachmann, R., Brucker, A.D.: Developing secure software: a holistic approach to security testing. Datenschutz und Datensicherheit (DuD) 38(4), 257–261 (2014)CrossRef

Howard, M., Lipner, S.: The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, CA (2006)

Hamill, M., Goseva-Popstojanova, K.: Software faults fixing effort: Analysis and prediction. Technical report 20150001332, NASA Goddard Space Flight Center, Greenbelt, MD United States, January 2014

Hewett, R., Kijsanayothin, P.: On modeling software defect repair time. Empirical Softw. Eng. 14(2), 165–186 (2009)CrossRef

Cornell, D.: Remediation statistics: what does fixing application vulnerabilities cost? In: Proceedings of the RSAConference, San Fransisco, CA, USA, February 2012

Khoshgoftaar, T.M., Allen, E.B., Kalaichelvan, K.S., Goel, N.: Early quality prediction: a case study in telecommunications. IEEE Softw. 13(1), 65–71 (1996)CrossRef

Shin, Y., Williams, L.: Is complexity really the enemy of software security? In: Proceedings of the 4th ACM Workshop on Quality of Protection. QoP 2008, Alexandria, VA, USA, pp. 47–50, October 2008

10.

Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Archit. 57(3), 294–313 (2011). Special Issue on Security and Dependability Assurance of Software ArchitecturesCrossRef

11.

Brucker, A.D., Sodan, U.: Deploying static application security testing on a large scale. In: GI Sicherheit 2014. Lecture Notes in Informatics, vol. 228, pp. 91–101, March 2014

12.

Yin, R.K.: Case Study Research: Design and Methods. Sage Publications, Beverly Hills (1984)

13.

Jacob, S.A., Furgerson, S.P.: Writing interview protocols and conducting interviews: tips for students new to the field of qualitative research. Qual. Rep. 17(42), Article no. 6, 1–10, October 2012

14.

Brikci, N., Green, J.: A guide to using qualitative research methodology, February 2007. http://www.alnap.org/resource/13024

15.

Saldana, J.: The Coding Manual for Qualitative Researchers. SAGE Publications Ltd, London (2009)

16.

Wohlin, C., Runeson, P., Host, M., Ohlsson, M., Regnell, B., Wesslen, A.: Experimentation in Software Engineering. Springer, Berlin (2012)CrossRefMATH

17.

Seaman, C.: Qualitative methods in empirical studies of software engineering. IEEE Trans. Softw. Eng. 25(4), 557–572 (1999)CrossRef

Titel: Factors Impacting the Effort Required to Fix Security Vulnerabilities
verfasst von: Lotfi ben Othmane
Golriz Chehrazi
Eric Bodden
Petar Tsalovski
Achim D. Brucker
Philip Miseldine
Verlag: Springer International Publishing
Buch: Information Security
Print ISBN: 978-3-319-23317-8

Electronic ISBN: 978-3-319-23318-5

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-23318-5_6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"