Factors Impacting the Effort Required to Fix Security Vulnerabilities

An Industrial Case Study
  • Lotfi ben OthmaneEmail author
  • Golriz Chehrazi
  • Eric Bodden
  • Petar Tsalovski
  • Achim D. Brucker
  • Philip Miseldine
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9290)


To what extent do investments in secure software engineering pay off? Right now, many development companies are trying to answer this important question. A change to a secure development lifecycle can pay off if it decreases significantly the time, and therefore the cost required to find, fix and address security vulnerabilities. But what are the factors involved and what influence do they have? This paper reports about a qualitative study conducted at SAP to identify the factors that impact the vulnerability fix time. The study involves interviews with 12 security experts. Through these interviews, we identified 65 factors that fall into classes which include, beside the vulnerabilities characteristics, the structure of the software involved, the diversity of the used technologies, the smoothness of the communication and collaboration, the availability and quality of information and documentation, the expertise and knowledge of developers, and the quality of the code analysis tools. These results will be an input to a planned quantitative study to evaluate and predict how changes to the secure software development lifecycle will likely impact the effort to fix security vulnerabilities.


Human factors Secure software Vulnerability fix time 



This work was supported by SAP SE, the BMBF within EC SPRIDE, and a Fraunhofer Attract grant. The authors thank the participants in the study.


  1. 1.
    Katzeff, P.: Hacking epidemic spurs security software stocks, February 2015. Investor’s business daily of 02/19/2015.
  2. 2.
    McGraw, G.: Software Security: Building Security In. Addison-Wesley Software Security Series. Pearson Education Inc., Boston (2006)Google Scholar
  3. 3.
    Bachmann, R., Brucker, A.D.: Developing secure software: a holistic approach to security testing. Datenschutz und Datensicherheit (DuD) 38(4), 257–261 (2014)CrossRefGoogle Scholar
  4. 4.
    Howard, M., Lipner, S.: The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, CA (2006)Google Scholar
  5. 5.
    Hamill, M., Goseva-Popstojanova, K.: Software faults fixing effort: Analysis and prediction. Technical report 20150001332, NASA Goddard Space Flight Center, Greenbelt, MD United States, January 2014Google Scholar
  6. 6.
    Hewett, R., Kijsanayothin, P.: On modeling software defect repair time. Empirical Softw. Eng. 14(2), 165–186 (2009)CrossRefGoogle Scholar
  7. 7.
    Cornell, D.: Remediation statistics: what does fixing application vulnerabilities cost? In: Proceedings of the RSAConference, San Fransisco, CA, USA, February 2012Google Scholar
  8. 8.
    Khoshgoftaar, T.M., Allen, E.B., Kalaichelvan, K.S., Goel, N.: Early quality prediction: a case study in telecommunications. IEEE Softw. 13(1), 65–71 (1996)CrossRefGoogle Scholar
  9. 9.
    Shin, Y., Williams, L.: Is complexity really the enemy of software security? In: Proceedings of the 4th ACM Workshop on Quality of Protection. QoP 2008, Alexandria, VA, USA, pp. 47–50, October 2008Google Scholar
  10. 10.
    Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Archit. 57(3), 294–313 (2011). Special Issue on Security and Dependability Assurance of Software ArchitecturesCrossRefGoogle Scholar
  11. 11.
    Brucker, A.D., Sodan, U.: Deploying static application security testing on a large scale. In: GI Sicherheit 2014. Lecture Notes in Informatics, vol. 228, pp. 91–101, March 2014Google Scholar
  12. 12.
    Yin, R.K.: Case Study Research: Design and Methods. Sage Publications, Beverly Hills (1984)Google Scholar
  13. 13.
    Jacob, S.A., Furgerson, S.P.: Writing interview protocols and conducting interviews: tips for students new to the field of qualitative research. Qual. Rep. 17(42), Article no. 6, 1–10, October 2012Google Scholar
  14. 14.
    Brikci, N., Green, J.: A guide to using qualitative research methodology, February 2007.
  15. 15.
    Saldana, J.: The Coding Manual for Qualitative Researchers. SAGE Publications Ltd, London (2009)Google Scholar
  16. 16.
    Wohlin, C., Runeson, P., Host, M., Ohlsson, M., Regnell, B., Wesslen, A.: Experimentation in Software Engineering. Springer, Berlin (2012)CrossRefzbMATHGoogle Scholar
  17. 17.
    Seaman, C.: Qualitative methods in empirical studies of software engineering. IEEE Trans. Softw. Eng. 25(4), 557–572 (1999)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Lotfi ben Othmane
    • 1
    Email author
  • Golriz Chehrazi
    • 1
  • Eric Bodden
    • 1
  • Petar Tsalovski
    • 2
  • Achim D. Brucker
    • 2
  • Philip Miseldine
    • 2
  1. 1.Fraunhofer Institute for Secure Information TechnologyDarmstadtGermany
  2. 2.SAP SEWalldorfGermany

Personalised recommendations