Managing Vulnerabilities in Software Projects: the Case of NTT Data

Background: Software vulnerabilities are flaws in application source code that can be exploited to cause harm, hence companies must devise strategies to manage them.Aim: We want to understand how software vulnerabilities are managed in a big IT (Information Technology) service and consulting company like NTT Data.Method: We conducted a focus group involving six software professionals working at NTT Data and analyzed the gathered data through a thematic analysis approach.Results: We found that application security standards are defined based on the needs of the clients (i.e., companies that commissioned NTT Data the software to be developed) and the projects’ nature (i.e., the development of greenfield projects vs. maintenance of existing ones). Also, to detect software vulnerabilities, SAST (Static Application Security Testing) tools are mainly used; among these, SonarLint and SonarQube appear to be the de-facto standards for NTT Data. Finally, not all software vulnerabilities are fixed; for example, the presence of some software vulnerabilities is tolerated by the clients, who take on the responsibility of not removing these vulnerabilities.Conclusions: It seems that developers and NTT Data clients are not averse to securing their code. NTT Data follows the application security standards established with their clients. To detect software vulnerabilities, SonarLint and SonarQube appear to be the de-facto standards, so explaining to some extent the increasing attention on these tools by the software engineering research community.

[1]  M. T. Baldassarre,et al.  Do Static Analysis Tools Affect Software Quality when Using Test-driven Development? , 2022, ESEM.

[2]  Alberto Bacchelli,et al.  Software security during modern code review: the developer’s perspective , 2022, ESEC/SIGSOFT FSE.

[3]  C. Seaman,et al.  Sonarlizer Xplorer: a tool to mine Github projects and identify technical debt items using SonarQube , 2022, 2022 IEEE/ACM International Conference on Technical Debt (TechDebt).

[4]  Natalia Juristo Juzgado,et al.  On researcher bias in Software Engineering experiments , 2021, J. Syst. Softw..

[5]  Michael S. Ware,et al.  Infiltrating security into development: exploring the world’s largest software security study , 2021, ESEC/SIGSOFT FSE.

[6]  Maria Teresa Baldassarre,et al.  On the diffuseness of technical debt items and accuracy of remediation time when using SonarQube , 2020, Inf. Softw. Technol..

[7]  Maria Teresa Baldassarre,et al.  On the Accuracy of SonarQube Technical Debt Remediation Time , 2019, 2019 45th Euromicro Conference on Software Engineering and Advanced Applications (SEAA).

[8]  Sonia Chiasson,et al.  'Think secure from the beginning': A Survey with Software Developers , 2019, CHI.

[9]  Kami Vaniea,et al.  A Survey on Developer-Centred Security , 2019, 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[10]  Apostolos Ampatzoglou,et al.  How do developers fix issues and pay back technical debt in the Apache ecosystem? , 2018, 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[11]  Robert W. Shirey,et al.  Internet Security Glossary, Version 2 , 2007, RFC.

[12]  Laura Lehtola,et al.  Using the focus group method in software engineering: obtaining practitioner and user experiences , 2004, Proceedings. 2004 International Symposium on Empirical Software Engineering, 2004. ISESE '04..

[13]  Marjo Kauppinen,et al.  Requirements Prioritization Challenges in Practice , 2004, PROFES.

[14]  Nigel King,et al.  Using templates in the thematic analysis of text , 2004 .

[15]  Joseph D. Langford,et al.  Focus Groups: Supporting Effective Product Development , 2002 .

[16]  Richard Widdows,et al.  The Focus Group Interview: A Method for Assessing Users' Evaluation of Library Service , 1991 .

[17]  Hernan M. Palombo,et al.  An Ethnographic Understanding of Software (In)Security and a Co-Creation Model to Improve Secure Software Development , 2020, SOUPS @ USENIX Security Symposium.

[18]  Magnus C. Ohlsson,et al.  Experimentation in Software Engineering , 2000, The Kluwer International Series in Software Engineering.