TU Darmstadt / ULB / TUbiblio

Time for Addressing Software Security Issues: Prediction Models and Impacting Factors

Othmane, Lotfi Ben ; Chehrazi, Golriz ; Bodden, Eric ; Tsalovski, Petar ; Brucker, Achim (2015)
Time for Addressing Software Security Issues: Prediction Models and Impacting Factors.
Report, Bibliographie

Kurzbeschreibung (Abstract)

Finding and fixing software vulnerabilities has become a major struggle for most software-development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process and we show how the issue fix time could be used to monitor the fixing process. We use three machine-learning methods and evaluate their predictive power in predicting the time to fix issues. Interestingly, the models indicate that the impact of vulnerability type has a small impact on issue fix time. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. SAP can use the models to implement a continuous improvement of its secure software development process and to measure the impact of individual improvements. Other companies can use similar models and mechanisms an be a learning organization.

Typ des Eintrags: Report
Erschienen: 2015
Autor(en): Othmane, Lotfi Ben ; Chehrazi, Golriz ; Bodden, Eric ; Tsalovski, Petar ; Brucker, Achim
Art des Eintrags: Bibliographie
Titel: Time for Addressing Software Security Issues: Prediction Models and Impacting Factors
Sprache: Deutsch
Publikationsjahr: November 2015
Ort: Darmstadt
Verlag: Technische Universität
Reihe: Technical Report
Zugehörige Links:
Kurzbeschreibung (Abstract):

Finding and fixing software vulnerabilities has become a major struggle for most software-development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process and we show how the issue fix time could be used to monitor the fixing process. We use three machine-learning methods and evaluate their predictive power in predicting the time to fix issues. Interestingly, the models indicate that the impact of vulnerability type has a small impact on issue fix time. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. SAP can use the models to implement a continuous improvement of its secure software development process and to measure the impact of individual improvements. Other companies can use similar models and mechanisms an be a learning organization.

Freie Schlagworte: Secure Software Engineering Group, Human factors, secure software, issue fix time
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Datenbanken und Verteilte Systeme
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
Hinterlegungsdatum: 30 Dez 2016 20:23
Letzte Änderung: 24 Aug 2023 10:07
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen