Time for Addressing Software Security Issues: Prediction Models and Impacting Factors

By Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, and Achim D. Brucker.

Finding and fixing software vulnerabilities has become a major struggle for most software-development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment.

We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process and we show how the issue fix time could be used to monitor the fixing process. We use three machine-learning methods and evaluate their predictive power in predicting the time to fix issues. Interestingly, the models indicate that the impact of vulnerability type has a small impact on issue fix time. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues.

SAP can use the models to implement a continuous improvement of its secure software development process and to measure the impact of individual improvements. Other companies can use similar models and mechanisms an be a learning organization.

Obsoleted by:
This publication has been obsoleted by the following publication:
L. ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, and A. D. Brucker, “Time for addressing software security issues: Prediction models and impacting factors,” Data Science and Engineering (DSEJ), vol. 2, no. 2, pp. 107–124, 2017, doi: 10.1007/s41019-016-0019-8. Author copy: http://logicalhacking.com/publications/othmane.ea-fix-effort-2016/

Please cite this work as follows:
L. ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, and A. D. Brucker, “Time for addressing software security issues: Prediction models and impacting factors,” Technische Universität Darmstadt, TUD-CS-2015-1268, Nov. 2015. Author copy: http://logicalhacking.com/publications/othmane.ea-time-2015/

BibTeX
@TechReport{ othmane.ea:time:2015,
  author      = {Lotfi ben Othmane and Golriz Chehrazi and Eric Bodden and
                 Petar Tsalovski and Achim D. Brucker},
  title       = {Time for Addressing Software Security Issues: Prediction
                 Models and Impacting Factors},
  institution = {Technische Universit{\"a}t Darmstadt},
  year        = {2015},
  number      = {TUD-CS-2015-1268},
  month       = {nov},
  abstract    = {Finding and fixing software vulnerabilities has become a
                 major struggle for most software-development companies. While
                 generally without alternative, such fixing efforts are a major
                 cost factor, which is why companies have a vital interest in
                 focusing their secure software development activities such
                 that they obtain an optimal return on this investment.
                 
                 We investigate, in this paper, quantitatively the major
                 factors that impact the time it takes to fix a given security
                 issue based on data collected automatically within SAP's
                 secure development process and we show how the issue fix time
                 could be used to monitor the fixing process. We use three
                 machine-learning methods and evaluate their predictive power
                 in predicting the time to fix issues. Interestingly, the
                 models indicate that the impact of vulnerability type has a
                 small impact on issue fix time. The time it takes to fix an
                 issue instead seems much more related to the component in
                 which the potential vulnerability resides, the project related
                 to the issue, the development groups that address the issue,
                 and the closeness of the software release date. This indicates
                 that the software structure, the fixing processes, and the
                 development groups are the dominant factors that impact the
                 time spent to address security issues.
                 
                 SAP can use the models to implement a continuous improvement
                 of its secure software development process and to measure the
                 impact of individual improvements. Other companies can use
                 similar models and mechanisms an be a learning organization.},
  obsoletedby = {othmane.ea:fix-effort:2016},
  areas       = {software, security},
  note        = {Author copy: \url{http://logicalhacking.com/publications/othmane.ea-time-2015/}},
}