Factors Impacting the Effort Required to Fix Security Vulnerabilities: An Industrial Case Study

By Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, Achim D. Brucker, and Philip Miseldine.

To what extent do investments in secure software engineering pay off? Right now, many development companies are trying to answer this important question. A change to a secure development lifecycle can pay off if it decreases significantly the time, and therefore the cost required to find, fix and address security vulnerabilities. But what are the factors involved and what influence do they have? This paper reports about a qualitative study conducted at SAP to identify the factors that impact the vulnerability fix time. The study involves interviews with 12 security experts. Through these interviews, we identified 65 factors that fall into classes which include, beside the vulnerabilities characteristics, the structure of the software involved, the diversity of the used technologies, the smoothness of the communication and collaboration, the availability and quality of information and documentation, the expertise and knowledge of developers, and the quality of the code analysis tools. These results will be an input to a planned quantitative study to evaluate and predict how changes to the secure software development lifecycle will likely impact the effort to fix security vulnerabilities.

Keywords:
Human Factors, Secure Software, Vulnerability Fix Time

Obsoleted by:
This publication has been obsoleted by the following publication:
L. ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, and A. D. Brucker, “Time for addressing software security issues: Prediction models and impacting factors,” Data Science and Engineering (DSEJ), vol. 2, no. 2, pp. 107–124, 2017, doi: 10.1007/s41019-016-0019-8. Author copy: https://logicalhacking.com/publications/othmane.ea-fix-effort-2016/

Please cite this work as follows:
L. ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, A. D. Brucker, and P. Miseldine, “Factors impacting the effort required to fix security vulnerabilities: An industrial case study,” in Information security conference (ISC 2015), C. Boyd and D. Gligoriski, Eds. Heidelberg: Springer-Verlag, 2015. doi: 10.1007/978-3-319-23318-5_6. Author copy: https://logicalhacking.com/publications/othmane.ea-fix-effort-2015/

BibTeX
@InCollection{ othmane.ea:fix-effort:2015,
  abstract    = {To what extent do investments in secure software engineering
                 pay off? Right now, many development companies are trying to
                 answer this important question. A change to a secure
                 development lifecycle can pay off if it decreases
                 significantly the time, and therefore the cost required to
                 find, fix and address security vulnerabilities. But what are
                 the factors involved and what influence do they have? This
                 paper reports about a qualitative study conducted at SAP to
                 identify the factors that impact the vulnerability fix time.
                 The study involves interviews with 12 security experts.
                 Through these interviews, we identified 65 factors that fall
                 into classes which include, beside the vulnerabilities
                 characteristics, the structure of the software involved, the
                 diversity of the used technologies, the smoothness of the
                 communication and collaboration, the availability and quality
                 of information and documentation, the expertise and knowledge
                 of developers, and the quality of the code analysis tools.
                 These results will be an input to a planned quantitative study
                 to evaluate and predict how changes to the secure software
                 development lifecycle will likely impact the effort to fix
                 security vulnerabilities.},
  location    = {Trondheim},
  author      = {Lotfi ben Othmane and Golriz Chehrazi and Eric Bodden and
                 Petar Tsalovski and Achim D. Brucker and Philip Miseldine},
  booktitle   = {Information Security Conference ({ISC} 2015)},
  language    = {USenglish},
  publisher   = {Springer-Verlag },
  address     = {Heidelberg },
  series      = {Lecture Notes in Computer Science },
  editor      = {Colin Boyd and Danilo Gligoriski},
  title       = {Factors Impacting the Effort Required to Fix Security
                 Vulnerabilities: An Industrial Case Study},
  areas       = {software, security},
  keywords    = {Human Factors, Secure Software, Vulnerability Fix Time},
  year        = {2015},
  obsoletedby = {othmane.ea:fix-effort:2016},
  doi         = {10.1007/978-3-319-23318-5_6},
  isbn        = {978-3-642-38915-3},
  note        = {Author copy: \url{https://logicalhacking.com/publications/othmane.ea-fix-effort-2015/}},
  pdf         = {https://logicalhacking.com/publications/othmane.ea-fix-effort-2015/othmane.ea-fix-effort-2015.pdf},
}