Cited By
View all- Gunawardena STempero EBlincoe K(2023)Concerns identified in code reviewInformation and Software Technology10.1016/j.infsof.2022.107054153:COnline publication date: 1-Jan-2023
The current practices of changing secure software: an empirical study
Authors: 
Ameerah Muhsinah Jamil, Lotfi ben Othmane, Altaz Valani, Moataz Abdelkhalek, Ayhan TekAuthors Info & Claims
Ameerah Muhsinah Jamil, Lotfi ben Othmane, Altaz Valani, Moataz Abdelkhalek, Ayhan TekAuthors Info & ClaimsPages 1566 - 1575
Abstract
Developers change the code of their software to add new features, fix bugs, or enhance its structure. Such frequent changes impact occasionally the security of the software. This paper reports a qualitative study of the practices of changing secure-software in the industry. The study involves interviews with eleven developers and security experts working on banking software, software for control systems, and software consultation companies. Through these interviews, we identified that the main security aspects are: dependency vulnerabilities, authentication and authorization, and OWASP 10 vulnerabilities. The common techniques used to assess software after code change are: code review, code analysis, testing, and keywords search. The main challenges that practitioners face are the diversity of the security issues and the lack of effectiveness of the security assurance tools in detecting vulnerabilities. The study suggests that developers of secure software need techniques that support effective security assurance of modified software.
References
[1]
[n. d.]. 2OWASP Top 10-2017. https://www.owasp.org/index.php/Top_10-2017_Top_10.
[2]
[n. d.]. Source Sode to Object Code Traceability Study - adacore. https://www.adacore.com/uploads/books/pdf/traceability-sample.pdf.
[3]
2019. What Is a Buffer Overflow? Learn About Buffer Overrun Vulnerabilities, Exploits & Attacks. https://www.veracode.com/security/buffer-overflow.
[4]
M. Abdelkhalek, L. Ben Othmane, and A. Jamil. 2019. Identification of the Impacts of Code Changes on the Security of Software. In Proc. of <u>the IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC),</u> Vol. 2. 569--574.
[5]
L. ben Othmane, P. Angin, H. Weffers, and B. Bhargava. 2014. Extending the Agile Development Process to Develop Acceptably Secure Software. <u>IEEE Transactions on Dependable and Secure Computing</u> 11, 6 (Nov 2014), 497--509.
[6]
A. Bosu. 2014. Characteristics of the Vulnerable Code Changes Identified Through Peer Code Review. In <u>Companion Proceedings of the 36th International Conference on Software Engineering (ICSE Companion 2014).</u> 736--738.
[7]
A. Bosu, J. C. Carver, M. Hafiz, P. Hilley, and D. Janni. 2014. Identifying the Characteristics of Vulnerable Code Changes: An Empirical Study. In Proc. <u>of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2014)</u>. 257--268.
[8]
Daniela S. Cruzes and Lotfi ben Othmane. 2017. <u>Empirical Research for Software Security: Foundations and Experience</u>. Taylor & Francis Group, LLC, Chapter Threats to Validity in Software Security Empirical Research, 275--300.
[9]
IEEE Cyber security. 2015. Understand How Integrating External Components Changes Your Attack Surface. https://cybersecurity.ieee.org/blog/2015/11/13/understand-how-integrating-external-components-changes-your-attack-surface/.
[10]
W. Du. 2019. <u>Computer Security: A Hands-on Approach</u>. Wenliang Du. https://books.google.com/books?id=spOJxAEACAAJ
[11]
P. H. Engebretson and D. Kennedy. [n. d.]. <u>The basics of hacking and penetration testing</u>. Syngress/Elsevier.
[12]
A. Ghahrai. 2018. Static Analysis vs Dynamic Analysis in Software Testing. https://www.testingexcellence.com/static-analysis-vs-dynamic-analysis-software-testing/.
[13]
M. Hilton, N. Nelson, T. Tunnell, D. Marinov, and D. Dig. 2017. Trade-offs in Continuous Integration: Assurance, Security, and Flexibility. In <u>Proc. of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017)</u>. 197--207.
[14]
M. Kim and D. Notkin. 2009. Discovering and Representing Systematic Code Changes. In <u>Proc. of the 31st International Conference on Software Engineering (ICSE '09)</u>. 309--319.
[15]
Bixin Li, Xiaobing Sun, Hareton Leung, and Sai Zhang. 2013. A survey of code-based change impact analysis techniques. <u>Software: testing, verification and reliability</u> 23, 8 (December 2013), 613--646.
[16]
A. Meneely, A. C. Rodriguez Tejeda, B. Spates, S. Trudeau, D. Neuberger, K. Whitlock, C. Ketant, and K. Davis. 2014. An Empirical Investigation of Socio-technical Code Review Metrics and Security Vulnerabilities. In <u>Proc. of the 6th International Workshop on Social Software Engineering (SSE 2014)</u>. 37--44.
[17]
S. F. P. Mohamed, Fauziah. Baharom, A. Deraman, J. Yahya, and H. Mohd. 2016. Secure software practices among Malaysian software practitioners: An exploratory study. <u>AIP Conference Proceedings</u> 1761, 1 (2016), 020086.
[18]
L. B. Othmane and A. Ali. 2016. Towards Effective Security Assurance for Incremental Software Development the Case of Zen Cart Application. In <u>Proc. of the 11th International Conference on Availability, Reliability and Security (ARES)</u>. 564--571.
[19]
OWASP. 2017. OWASP Top 10 Application Security Risks - 2017. https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf.
[20]
OWASP. 2017. OWASP Top 10 Application Security Risks - 2017. https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control.
[21]
Eric S. Raymond. 2001. <u>The cathedral & the bazaar: musings on Linux and open source by an accidental revolutionary</u>. OReilly.
[22]
R. Rymon. 2019. Software Composition Analysis Explained.
[23]
J. Saldana. 2015. <u>The coding manual for qualitative researchers</u>. Sage Publications.
[24]
R. S. Sandhu and P. Samarati. 1994. Access control: principle and practice. <u>IEEE Communications Magazine</u> 32, 9 (Sep. 1994), 40--48.
[25]
A. Sharma, P. S. Grover, and R. Kumar. 2009. Dependency Analysis for Component-based Software Systems. <u>SIGSOFT Softw. Eng. Notes</u> 34, 4 (2009), 1--6.
[26]
E. t Mougoue. 2019. What is the secure software development life cycle (SDLC)?: Synopsys. https://www.synopsys.com/blogs/software-security/secure-sdlc/
[27]
D.W. Turner. 2010. Qualitative interview design: a practical guide for novice investigators. The Qualitative Report.
[28]
R. Vanciu and M. Abi-Antoun. 2013. Finding architectural flaws using constraints. In Proc. of the 28th IEEE/ACM International Conference on <u>Automated Software Engineering (ASE).</u> 334--344.
[29]
Claes Wohlin, Per Runeson, Martin Höst, Magnus C. Ohlsson, Bjöorn Regnell, and Anders Wesslén. 2000. <u>Experimentation in Software Engineering: An Introduction</u>. Kluwer Academic Publishers, Norwell, MA, USA.
[30]
A. T. T. Ying, G. C. Murphy, R. Ng, and M. C. Chu-Carroll. 2004. Predicting source code changes by mining change history. <u>IEEE Transactions on Software Engineering</u> 30, 9 (Sep. 2004), 574--586.
Index Terms
- The current practices of changing secure software: an empirical study
Recommendations
A Technical Support to Enrich Existing Software Development Courses, with the Additional Topic of Secure Coding
iiWAS2021: The 23rd International Conference on Information Integration and Web IntelligenceIn a world of ubiquitous computers and interconnected systems, security is crucial and secure coding is an essential prerequisite for making systems secure. In order to achieve this, secure coding must not be bolt-on in teaching, but an integral part ...
Surveying Secure Software Development Practices in Finland
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityCombining security engineering and software engineering is shaping the software development processes and shifting the emphasis of information security from the operation environment into the main information asset: the software itself. To protect ...
Comments
Information & Contributors
Information
Published In
March 2020
2348 pages
ISBN:9781450368667
DOI:10.1145/3341105
- Conference Chairs:
- Chih-Cheng Hung,
- Tomas Cerny,
- Program Chairs:
- Dongwan Shin,
- Alessio Bechini
Copyright © 2020 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 March 2020
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- John Deere
Conference
SAC '20
Sponsor:
SAC '20: The 35th ACM/SIGAPP Symposium on Applied Computing
March 30 - April 3, 2020
Brno, Czech Republic
Acceptance Rates
Overall Acceptance Rate 1,650 of 6,669 submissions, 25%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 799Total Downloads
- Downloads (Last 12 months)154
- Downloads (Last 6 weeks)26
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View all- Gunawardena STempero EBlincoe K(2023)Concerns identified in code reviewInformation and Software Technology10.1016/j.infsof.2022.107054153:COnline publication date: 1-Jan-2023
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in