Time for Addressing Software Security Issues: Prediction Models and Impacting Factors

By Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, and Achim D. Brucker.

Finding and fixing software vulnerabilities have become a major struggle for most software development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process, and we show how the issue fix time could be used to monitor the fixing process. We use three machine learning methods and evaluate their predictive power in predicting the time to fix issues. Interestingly, the models indicate that vulnerability type has less dominant impact on issue fix time than previously believed. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. SAP can use the models to implement a continuous improvement of its secure software development process and to measure the impact of individual improvements. The development teams at SAP develop different types of software, adopt different internal development processes, use different programming languages and platforms, and are located in different cities and countries. Other organizations, may use the results–with precaution–and be learning organizations.

Keywords:
Human factors, Secure software, Issue fix time

Please cite this work as follows:
L. ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, and A. D. Brucker, “Time for addressing software security issues: Prediction models and impacting factors,” Data Science and Engineering (DSEJ), vol. 2, no. 2, pp. 107–124, 2017, doi: 10.1007/s41019-016-0019-8. Author copy: http://logicalhacking.com/publications/othmane.ea-fix-effort-2016/

BibTeX
@Article{ othmane.ea:fix-effort:2016,
  abstract    = {Finding and fixing software vulnerabilities have become a
                 major struggle for most software development companies. While
                 generally without alternative, such fixing efforts are a major
                 cost factor, which is why companies have a vital interest in
                 focusing their secure software development activities such
                 that they obtain an optimal return on this investment. We
                 investigate, in this paper, quantitatively the major factors
                 that impact the time it takes to fix a given security issue
                 based on data collected automatically within SAP's secure
                 development process, and we show how the issue fix time could
                 be used to monitor the fixing process. We use three machine
                 learning methods and evaluate their predictive power in
                 predicting the time to fix issues. Interestingly, the models
                 indicate that vulnerability type has less dominant impact on
                 issue fix time than previously believed. The time it takes to
                 fix an issue instead seems much more related to the component
                 in which the potential vulnerability resides, the project
                 related to the issue, the development groups that address the
                 issue, and the closeness of the software release date. This
                 indicates that the software structure, the fixing processes,
                 and the development groups are the dominant factors that
                 impact the time spent to address security issues. SAP can use
                 the models to implement a continuous improvement of its secure
                 software development process and to measure the impact of
                 individual improvements. The development teams at SAP develop
                 different types of software, adopt different internal
                 development processes, use different programming languages and
                 platforms, and are located in different cities and countries.
                 Other organizations, may use the results--with precaution--and
                 be learning organizations.},
  author      = {Lotfi ben Othmane and Golriz Chehrazi and Eric Bodden and
                 Petar Tsalovski and Achim D. Brucker},
  journal     = {Data Science and Engineering (DSEJ)},
  language    = {USenglish},
  year        = {2017},
  volume      = {2},
  number      = {2},
  pages       = {107--124},
  issn        = {2364-1185},
  onlinefirst = {2016-09-27},
  publisher   = {Springer-Verlag },
  address     = {Heidelberg },
  title       = {Time for Addressing Software Security Issues: Prediction
                 Models and Impacting Factors},
  areas       = {software, security},
  keywords    = {Human factors, Secure software, Issue fix time},
  doi         = {10.1007/s41019-016-0019-8},
  note        = {Author copy: \url{http://logicalhacking.com/publications/othmane.ea-fix-effort-2016/}},
}