Factors Impacting the Effort Required to Fix Security Vulnerabilities - An Industrial Case Study

To what extent do investments in secure software engineering pay off? Right now, many development companies are trying to answer this important question. A change to a secure development lifecycle can pay off if it decreases significantly the time, and therefore the cost required to find, fix and address security vulnerabilities. But what are the factors involved and what influence do they have? This paper reports about a qualitative study conducted at SAP to identify the factors that impact the vulnerability fix time. The study involves interviews with 12 security experts. Through these interviews, we identified 65 factors that fall into classes which include, beside the vulnerabilities characteristics, the structure of the software involved, the diversity of the used technologies, the smoothness of the communication and collaboration, the availability and quality of information and documentation, the expertise and knowledge of developers, and the quality of the code analysis tools. These results will be an input to a planned quantitative study to evaluate and predict how changes to the secure software development lifecycle will likely impact the effort to fix security vulnerabilities.

[1]  S. A. Jacob,et al.  Writing Interview Protocols and Conducting Interviews: Tips for Students New to the Field of Qualitative Research , 2012 .

[2]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[3]  Carolyn B. Seaman,et al.  Qualitative Methods in Empirical Studies of Software Engineering , 1999, IEEE Trans. Software Eng..

[4]  Claes Wohlin,et al.  Experimentation in Software Engineering , 2000, The Kluwer International Series in Software Engineering.

[5]  Katerina Goseva-Popstojanova,et al.  Software Faults Fixing Effort: Analysis and Prediction , 2014 .

[6]  Laurie A. Williams,et al.  Is complexity really the enemy of software security? , 2008, QoP '08.

[7]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[8]  B SeamanCarolyn Qualitative Methods in Empirical Studies of Software Engineering , 1999 .

[9]  Achim D. Brucker,et al.  Developing Secure Software A Holistic Approach to Security Testing Building secure software requires a well-selected combination of security testing techniques during the whole software development lifecycle. , 2014 .

[10]  Achim D. Brucker,et al.  Developing secure software , 2014, Datenschutz und Datensicherheit - DuD.

[11]  Taghi M. Khoshgoftaar,et al.  Early Quality Prediction: A Case Study in Telecommunications , 1996, IEEE Softw..

[12]  Phongphun Kijsanayothin,et al.  On modeling software defect repair time , 2009, Empirical Software Engineering.

[13]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[14]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[15]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[16]  Mohammad Zulkernine,et al.  Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities , 2011, J. Syst. Archit..

[17]  Nouria Bricki,et al.  A Guide to Using Qualitative Research Methodology , 2007 .

[18]  Achim D. Brucker,et al.  Deploying Static Application Security Testing on a Large Scale , 2014, Sicherheit.