Copyright: Catharina Frank
Harvester has scored 1st place at this year’s German IT-Sicherheitspreis! Every two years, the Horst Görtz Foundation awards EUR 200,000 to the three winners, with the first place being awarded EUR 100,000. More at Heise (in German)
Many thanks to the judges and the foundation! Harvester will is planned to be available soon as a plugin into our CodeInspect framework. We are further thinking of providing a command-line version to interested customers.
The workshop was an opportunity to share experiences and ideas about developing secure software using the agile processes. Hasan Yasar from the Software Engineering Institute (SEI), CMU opened the sessions with a keynote talk on the experience of SEI in integrating security to DevOps for its clients. He talked about on how DevOps principles were applied to develop secure applications, from idea to delivery of a completed application to production environment, also including operational support and incident response. He explained how to address application security concerns at early development lifecycle and how to address threats at different decisions point using integrated DevOps platforms. He emphasized the value of reference architecture, team collaboration, organization’s culture, considering security through development lifecycle, and continuous feedback.
The keynote was followed by a talk given by Vaishnavi Mohan, who discussed the aspects that SecDevOps authors have been discussing in the literature. Tosin Daniel Oyetoyan reported, in the second session, about his study on the relationships between software security skills, usage and training needs in Agile settings in two Norwegian companies. They observed that there is a positive linear relationship between the practice of security activities in software development projects and the skills and knowledge of the participating developers about software security. This suggests, if confirmed with more studies, that training developers on developing secure software leads to the production of secure software. Next Kalle Rindell gave an overview about the experience he has with his colleagues in building secure identity management system in an agile environment for the Finnish government. Lotfi ben Othmane discussed in the third talk the study they had on incremental security assurance for the e-commerce software, Zen Cart.
In the afternoon session Chad Heitzenrater discussed the application of economic utility functions within the negative use case development process to help development managers decide on the alternatives to mitigate the abuse cases. The presentation was followed by the talk of Daniela S. Cruzes, who reported about a study they performed to identify the factors that influence testing of nonfunctional requirements in agile teams, which are priority, culture, awareness, time pressure, cost, and technical issues.
The full ARES program, including the workshop program is available here
The second paper resulting from our collaboration with SAP on developing models for estimating the time to fix security issues is published by the Data Science and Engineering journal, Springer. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process, and we show how the issue fix time could be used to monitor the fixing process. The work shows that the time it takes to fix an issue seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. The models could be used to implement a continuous improvement of the secure software development processes and to measure the impact of individual improvements. The paper is published as open source and is available here.