Othmane, Lotfi Ben ; Chehrazi, Golriz ; Bodden, Eric ; Tsalovski, Petar ; Brucker, Achim ; Miseldine, Philip (2015)
Factors Impacting the Effort Required to Fix Security Vulnerabilities.
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
To what extent do investments in secure software engineering pay off? Right now, many development companies are trying to answer this important question. A change to a secure development lifecycle can pay off if it decreases significantly the time, and therefore the cost required to find, fix and address security vulnerabilities. But what are the factors involved and what influence do they have? This paper reports about a qualitative study conducted at SAP to identify the factors that impact the vulnerability fix time. The study involves interviews with 12 security experts. Through these interviews, we identified 65 factors that fall into classes which include, beside the vulnerabilities characteristics, the structure of the software involved, the diversity of the used technologies, the smoothness of the communication and collaboration, the availability and quality of information and documentation, the expertise and knowledge of developers, and the quality of the code analysis tools. These results will be an input to a planned quantitative study to evaluate and predict how changes to the secure software development lifecycle will likely impact the effort to fix security vulnerabilities.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2015 |
| Autor(en): | Othmane, Lotfi Ben ; Chehrazi, Golriz ; Bodden, Eric ; Tsalovski, Petar ; Brucker, Achim ; Miseldine, Philip |
| Art des Eintrags: | Bibliographie |
| Titel: | Factors Impacting the Effort Required to Fix Security Vulnerabilities |
| Sprache: | Deutsch |
| Publikationsjahr: | September 2015 |
| Buchtitel: | Proc. of the 18th Information Security Conference (ISC 2015) |
| Kurzbeschreibung (Abstract): | To what extent do investments in secure software engineering pay off? Right now, many development companies are trying to answer this important question. A change to a secure development lifecycle can pay off if it decreases significantly the time, and therefore the cost required to find, fix and address security vulnerabilities. But what are the factors involved and what influence do they have? This paper reports about a qualitative study conducted at SAP to identify the factors that impact the vulnerability fix time. The study involves interviews with 12 security experts. Through these interviews, we identified 65 factors that fall into classes which include, beside the vulnerabilities characteristics, the structure of the software involved, the diversity of the used technologies, the smoothness of the communication and collaboration, the availability and quality of information and documentation, the expertise and knowledge of developers, and the quality of the code analysis tools. These results will be an input to a planned quantitative study to evaluate and predict how changes to the secure software development lifecycle will likely impact the effort to fix security vulnerabilities. |
| Freie Schlagworte: | Secure Software Engineering Group |
| ID-Nummer: | TUD-CS-2015-0139 |
| Fachbereich(e)/-gebiet(e): | LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt 20 Fachbereich Informatik > Datenbanken und Verteilte Systeme LOEWE > LOEWE-Zentren 20 Fachbereich Informatik LOEWE |
| Hinterlegungsdatum: | 30 Dez 2016 20:23 |
| Letzte Änderung: | 17 Mai 2018 13:02 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum