Factors Impacting the Effort Required to Fix Security Vulnerabilities
To what extent do investments in secure software engineering pay off? Right now, many development companies are trying to answer this important question. A change to a secure development lifecycle can pay off if it decreases significantly the time, and therefore the cost required to find, fix and address security vulnerabilities. But what are the factors involved and what influence do they have? This paper reports about a qualitative study conducted at SAP to identify the factors that impact the vulnerability fix time. The study involves interviews with 12 security experts. Through these interviews, we identified 65 factors that fall into classes which include, beside the vulnerabilities characteristics, the structure of the software involved, the diversity of the used technologies, the smoothness of the communication and collaboration, the availability and quality of information and documentation, the expertise and knowledge of developers, and the quality of the code analysis tools. These results will be an input to a planned quantitative study to evaluate and predict how changes to the secure software development lifecycle will likely impact the effort to fix security vulnerabilities.
KeywordsHuman factors Secure software Vulnerability fix time
This work was supported by SAP SE, the BMBF within EC SPRIDE, and a Fraunhofer Attract grant. The authors thank the participants in the study.
- 1.Katzeff, P.: Hacking epidemic spurs security software stocks, February 2015. Investor’s business daily of 02/19/2015. http://news.investors.com/investing-mutual-funds/021915-740082-revenues-are-up-for-security-software-firms.htm
- 2.McGraw, G.: Software Security: Building Security In. Addison-Wesley Software Security Series. Pearson Education Inc., Boston (2006)Google Scholar
- 4.Howard, M., Lipner, S.: The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, CA (2006)Google Scholar
- 5.Hamill, M., Goseva-Popstojanova, K.: Software faults fixing effort: Analysis and prediction. Technical report 20150001332, NASA Goddard Space Flight Center, Greenbelt, MD United States, January 2014Google Scholar
- 7.Cornell, D.: Remediation statistics: what does fixing application vulnerabilities cost? In: Proceedings of the RSAConference, San Fransisco, CA, USA, February 2012Google Scholar
- 9.Shin, Y., Williams, L.: Is complexity really the enemy of software security? In: Proceedings of the 4th ACM Workshop on Quality of Protection. QoP 2008, Alexandria, VA, USA, pp. 47–50, October 2008Google Scholar
- 11.Brucker, A.D., Sodan, U.: Deploying static application security testing on a large scale. In: GI Sicherheit 2014. Lecture Notes in Informatics, vol. 228, pp. 91–101, March 2014Google Scholar
- 12.Yin, R.K.: Case Study Research: Design and Methods. Sage Publications, Beverly Hills (1984)Google Scholar
- 13.Jacob, S.A., Furgerson, S.P.: Writing interview protocols and conducting interviews: tips for students new to the field of qualitative research. Qual. Rep. 17(42), Article no. 6, 1–10, October 2012Google Scholar
- 14.Brikci, N., Green, J.: A guide to using qualitative research methodology, February 2007. http://www.alnap.org/resource/13024
- 15.Saldana, J.: The Coding Manual for Qualitative Researchers. SAGE Publications Ltd, London (2009)Google Scholar