Application security programs, as part of a Security Development
Life Cycle (SDLC) often need to prove that they actually
pay off. Also, it is not always clear what are the most economical way
of fixing a security vulnerability - in particular if the
vulnerability is, as part of a secure software supply-chain a
consumed third-party component.
To provide more insights into these topics we are, in collaboration
with industry partners, working on empirical studies supporting our
(software) security research areas. In particular, we are looking into
Important Publications
[1]
L. ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, A. D. Brucker, and P. Miseldine,
“Factors impacting the effort required to fix security vulnerabilities: An industrial case study,” in
Information security conference (ISC 2015), C. Boyd and D. Gligoriski, Eds. Heidelberg: Springer-Verlag, 2015. doi:
10.1007/978-3-319-23318-5_6.
[2]
S. Dashevskyi, A. D. Brucker, and F. Massacci,
“On the security cost of using a free and open source component in a proprietary product,” in
International symposium on engineering secure software and systems (ESSoS), J. Caballero and E. Bodden, Eds. Heidelberg: Springer-Verlag, 2016, pp. 190–206. doi:
10.1007/978-3-319-30806-7_12.
[3]
L. ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, and A. D. Brucker,
“Time for addressing software security issues: Prediction models and impacting factors,” Data Science and Engineering (DSEJ), vol. 2, no. 2, pp. 107–124, 2017, doi:
10.1007/s41019-016-0019-8.
[4]
S. Dashevskyi, A. D. Brucker, and F. Massacci,
“A screening test for disclosed vulnerabilities in FOSS components,” IEEE Trans. Software Eng., vol. 45, no. 10, pp. 945–966, Oct. 2019, doi:
10.1109/TSE.2018.2816033.