The current practices of changing secure software: an empirical study

Developers change the code of their software to add new features, fix bugs, or enhance its structure. Such frequent changes impact occasionally the security of the software. This paper reports a qualitative study of the practices of changing secure-software in the industry. The study involves interviews with eleven developers and security experts working on banking software, software for control systems, and software consultation companies. Through these interviews, we identified that the main security aspects are: dependency vulnerabilities, authentication and authorization, and OWASP 10 vulnerabilities. The common techniques used to assess software after code change are: code review, code analysis, testing, and keywords search. The main challenges that practitioners face are the diversity of the security issues and the lack of effectiveness of the security assurance tools in detecting vulnerabilities. The study suggests that developers of secure software need techniques that support effective security assurance of modified software.

[1]  Amiangshu Bosu,et al.  Characteristics of the vulnerable code changes identified through peer code review , 2014, ICSE Companion.

[2]  Aziz Deraman,et al.  Secure software practices among Malaysian software practitioners: An exploratory study , 2016 .

[3]  Jeffrey C. Carver,et al.  Identifying the characteristics of vulnerable code changes: an empirical study , 2014, SIGSOFT FSE.

[4]  D. Turner Qualitative Interview Design: A Practical Guide for Novice Investigators , 2010 .

[5]  Martin Gilje Jaatun,et al.  Empirical Research for Software Security : Foundations and Experience , 2017 .

[6]  Gail C. Murphy,et al.  Predicting source code changes by mining change history , 2004, IEEE Transactions on Software Engineering.

[7]  Claes Wohlin,et al.  Experimentation in software engineering: an introduction , 2000 .

[8]  Hareton K. N. Leung,et al.  A survey of code‐based change impact analysis techniques , 2013, Softw. Test. Verification Reliab..

[9]  Lotfi Ben Othmane,et al.  Towards Effective Security Assurance for Incremental Software Development the Case of Zen Cart Application , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[10]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[11]  Miryung Kim,et al.  Discovering and representing systematic code changes , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[12]  Eric S. Raymond,et al.  Cathedral & the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary , 2001 .

[13]  Bharat K. Bhargava,et al.  Extending the Agile Development Process to Develop Acceptably Secure Software , 2014, IEEE Transactions on Dependable and Secure Computing.

[14]  Eric S. Raymond,et al.  The cathedral and the bazaar - musings on Linux and Open Source by an accidental revolutionary , 2001 .

[15]  P. S. Grover,et al.  Dependency analysis for component-based software systems , 2009, SOEN.

[16]  Darko Marinov,et al.  Trade-offs in continuous integration: assurance, security, and flexibility , 2017, ESEC/SIGSOFT FSE.

[17]  Radu Vanciu,et al.  Finding architectural flaws using constraints , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[18]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[19]  Lotfi Ben Othmane,et al.  Identification of the Impacts of Code Changes on the Security of Software , 2019, 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC).

[20]  Andrew Meneely,et al.  An empirical investigation of socio-technical code review metrics and security vulnerabilities , 2014, SSE@SIGSOFT FSE.