Application security programs, as part of a Security Development Life Cycle (SDLC) often need to prove that they actually pay-off. Also, it is not always clear what are the most economical way of fixing a security vulnerability - in particular if the vulnerability is, as part of a secure software supply-chain an consumed third-party component.
To provide more insights into these topics we are, in collaboration with industry partners, working on empirical studies supporting our (software) security research areas. In particular, we are looking into
effort models for fixing publicly revealed security vulnerabilities in consumed third part components and
identifying factors that influence the time required for fixing security issues.
1. Dashevskyi, S., Brucker, A. D., and Massacci, F. “On the Security Cost of Using a Free and Open Source Component in a Proprietary Product” International symposium on engineering secure software and systems (essos) (2016): 190–206. doi:10.1007/978-3-319-30806-7_12, URL: http://www.brucker.ch/bibliography/abstract/dashevskyi.ea-foss-costs-2016
2. Othmane, L. ben, Chehrazi, G., Bodden, E., Tsalovski, P., and Brucker, A. D. “Time for Addressing Software Security Issues: Prediction Models and Impacting Factors” Data Science and Engineering (dsej) (2016): doi:10.1007/s41019-016-0019-8, URL: http://www.brucker.ch/bibliography/abstract/othmane.ea-fix-effort-2016
3. Othmane, L. ben, Chehrazi, G., Bodden, E., Tsalovski, P., Brucker, A. D., and Miseldine, P. “Factors Impacting the Effort Required to Fix Security Vulnerabilities: An Industrial Case Study” Information security conference (isc 2015) (2015): doi:10.1007/978-3-319-23318-5_6, URL: http://www.brucker.ch/bibliography/abstract/othmane.ea-fix-effort-2015