Achieving "Good Enough" Software Security: The Role of Objectivity

Today's software development projects need to consider security as one of the qualities the software should possess. However, overspending on security will imply that the software will become more expensive and often also delayed. This paper discusses the role of objectivity in assessing and researching the goal of good enough security. Different understandings of objectivity are introduced, and the paper explores how these can guide the way forward in improving judgements on what level of security is good enough. The paper recommends adopting and improving upon methods that include different perspectives, support the building of interactive expertise, and support confirmability by keeping documentation of the basis on which judgements were made.

[1]  Martin Gilje Jaatun,et al.  Risk Centric Activities in Secure Software Development in Public Organisations , 2017, Int. J. Secur. Softw. Eng..

[2]  Kenneth R. van Wyk,et al.  Bridging the Gap between Software Development and Information Security , 2005, IEEE Secur. Priv..

[3]  George F. Hurlburt "Good Enough" Security: The Best We'll Ever Have , 2016, Computer.

[4]  Chong Wang,et al.  Agile Practitioners’ Understanding of Security Requirements: Insights from a Grounded Theory Analysis , 2017, 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW).

[5]  D. Mills Introduction to Action Research: Social Research for Social Change , 2000 .

[6]  유창조 Naturalistic Inquiry , 2022, The SAGE Encyclopedia of Research Design.

[7]  Steffen Bartsch,et al.  Practitioners' Perspectives on Security in Agile Development , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[8]  Martin Gilje Jaatun,et al.  Enhancing accountability in the cloud , 2016, Int. J. Inf. Manag..

[9]  Konstantin Beznosov,et al.  Extreme Security Engineering: On Employing XP Practices to Achieve , 2003 .

[10]  Roel Wieringa,et al.  Quality Requirements in Large-Scale Distributed Agile Projects - A Systematic Literature Review , 2017, REFSQ.

[11]  SandhuRavi Good-Enough Security , 2003 .

[12]  Stephen Gaukroger Objectivity: A Very Short Introduction , 2012 .

[13]  Agile Manifesto,et al.  Manifesto for Agile Software Development , 2001 .

[14]  Rachel Rinaldo,et al.  Forms of Life: The Method and Meaning of Sociology , 2020 .

[15]  Lance Hayden,et al.  It Security Metrics: A Practical Framework for Measuring Security & Protecting Data , 2010 .

[16]  Sandra Harding,et al.  6. "Strong Objectivity" and Socially Situated Knowledge , 2017 .

[17]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[18]  Martin Gilje Jaatun,et al.  Challenges and approaches of performing canonical action research in software security: research paper , 2018, HotSoS.

[19]  Laurie A. Williams,et al.  Protection Poker: The New Software Security "Game"; , 2010, IEEE Security & Privacy.

[20]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[21]  S. Rist,et al.  Scientists’ situated knowledge: Strong objectivity in transdisciplinarity , 2015 .

[22]  Martin Gilje Jaatun,et al.  The Security Intention Meeting Series as a way to increase visibility of software security decisions in agile development projects , 2019, ARES.

[23]  Laurie A. Williams,et al.  Engineering Security Vulnerability Prevention, Detection, and Response , 2018, IEEE Software.

[24]  Inger Anne Tøndel,et al.  Software Security Maturity in Public Organisations , 2015, ISC.

[25]  E. Guba,et al.  Naturalistic inquiry: Beverly Hills, CA: Sage Publications, 1985, 416 pp., $25.00 (Cloth) , 1985 .

[26]  Michael Gegick,et al.  Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer , 2009, ESSoS.