Application security programs, as part of a Security Development Life Cycle (SDLC) often need to prove that they actually pay-off. Also, it is not always clear what are the most economical way of fixing a security vulnerability - in particular if the vulnerability is, as part of a secure software supply-chain an consumed third-party component.

To provide more insights into these topics we are, in collaboration with industry partners, working on empirical studies supporting our (software) security research areas. In particular, we are looking into

  • effort models for fixing publicly revealed security vulnerabilities in consumed third part components and

  • identifying factors that influence the time required for fixing security issues.

Important Publications

1. Dashevskyi, S., Brucker, A. D., and Massacci, F. “On the Security Cost of Using a Free and Open Source Component in a Proprietary ProductInternational symposium on engineering secure software and systems (essos) (2016): 190–206. doi:10.1007/978-3-319-30806-7_12, URL:

2. Othmane, L. ben, Chehrazi, G., Bodden, E., Tsalovski, P., and Brucker, A. D. “Time for Addressing Software Security Issues: Prediction Models and Impacting FactorsData Science and Engineering (dsej) 2, no. 2 (2017): 107–124. doi:10.1007/s41019-016-0019-8, URL:

3. Othmane, L. ben, Chehrazi, G., Bodden, E., Tsalovski, P., Brucker, A. D., and Miseldine, P. “Factors Impacting the Effort Required to Fix Security Vulnerabilities: An Industrial Case StudyInformation security conference (isc 2015) (2015): doi:10.1007/978-3-319-23318-5_6, URL: