Software Assurance & Security Research - Software Security Economics

Application security programs, as part of a Security Development Life Cycle (SDLC) often need to prove that they actually pay off. Also, it is not always clear what are the most economical way of fixing a security vulnerability - in particular if the vulnerability is, as part of a secure software supply-chain a consumed third-party component.

To provide more insights into these topics we are, in collaboration with industry partners, working on empirical studies supporting our (software) security research areas. In particular, we are looking into

Effort models for fixing publicly revealed security vulnerabilities in consumed third part components and
Identifying factors that influence the time required for fixing security issues.

Important Publications §

[1]

L. ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, A. D. Brucker, and P. Miseldine, “Factors impacting the effort required to fix security vulnerabilities: An industrial case study,” in Information security conference (ISC 2015), C. Boyd and D. Gligoriski, Eds. Heidelberg: Springer-Verlag, 2015. doi: 10.1007/978-3-319-23318-5_6. Author copy: http://logicalhacking.com/publications/othmane.ea-fix-effort-2015/

[2]

S. Dashevskyi, A. D. Brucker, and F. Massacci, “On the security cost of using a free and open source component in a proprietary product,” in International symposium on engineering secure software and systems (ESSoS), J. Caballero and E. Bodden, Eds. Heidelberg: Springer-Verlag, 2016, pp. 190–206. doi: 10.1007/978-3-319-30806-7_12. Author copy: http://logicalhacking.com/publications/dashevskyi.ea-foss-costs-2016/

[3]

L. ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, and A. D. Brucker, “Time for addressing software security issues: Prediction models and impacting factors,” Data Science and Engineering (DSEJ), vol. 2, no. 2, pp. 107–124, 2017, doi: 10.1007/s41019-016-0019-8. Author copy: http://logicalhacking.com/publications/othmane.ea-fix-effort-2016/

[4]

S. Dashevskyi, A. D. Brucker, and F. Massacci, “A screening test for disclosed vulnerabilities in FOSS components,” IEEE Trans. Software Eng., vol. 45, no. 10, pp. 945–966, Oct. 2019, doi: 10.1109/TSE.2018.2816033. Author copy: http://logicalhacking.com/publications/dashevskyi.ea-vulnerability-screening-2018/

[5]

S. Dashevskyi, A. D. Brucker, and F. Massacci, “On the effort for security maintenance of open source components,” 2018. Author copy: http://logicalhacking.com/publications/dashevskyi.ea-foss-efforts-2018/