Talks at the Second International Workshop on Agile Secure Software Development (ASSD’16)

The workshop was an opportunity to share experiences and ideas about developing secure software using the agile processes. Hasan Yasar from the Software Engineering Institute (SEI), CMU opened the sessions with a keynote talk on the experience of SEI in integrating security to DevOps for its clients.  He talked about on how DevOps principles were applied to develop secure applications, from idea to delivery of a completed application to production environment, also including operational support and incident response. He explained how to address application security concerns at early development lifecycle and how to address threats at different decisions point using integrated DevOps platforms. He emphasized the value of reference architecture, team collaboration, organization’s culture, considering security through development lifecycle, and continuous feedback.

The keynote was followed by a talk given by Vaishnavi Mohan, who discussed the aspects that SecDevOps authors have been discussing in the literature. Tosin Daniel Oyetoyan reported, in the second session, about his study on the relationships between software security skills, usage and training needs in Agile settings in two Norwegian companies. They observed that there is a positive linear relationship between the practice of security activities in software development projects and the skills and knowledge of the participating developers about software security. This suggests, if confirmed with more studies, that training developers on developing secure software leads to the production of secure software. Next Kalle Rindell gave an overview about the experience he has with his colleagues in building secure identity management system in an agile environment for the Finnish government. Lotfi ben Othmane discussed in the third talk the study they had on incremental security assurance for the e-commerce software, Zen Cart.

In the afternoon session Chad Heitzenrater discussed the application of economic utility functions within the negative use case development process to help development managers decide on the alternatives to mitigate the abuse cases. The presentation was followed by the talk of Daniela S. Cruzes, who reported about a study they performed to identify the factors that influence testing of nonfunctional requirements in agile teams, which are priority, culture, awareness, time pressure, cost, and technical issues.


The full ARES program, including the workshop program is available here

Time for Addressing Software Security Issues: Prediction Models and Impacting Factors

The second paper resulting from our collaboration with SAP on developing models for estimating the time to fix security issues is published by the Data Science and Engineering journal, Springer. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process, and we show how the issue fix time could be used to monitor the fixing process. The work shows that the time it takes to fix an issue seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. The models could be used to implement a continuous improvement of the secure software development processes and to measure the impact of individual improvements. The paper is published as open source and is available here.

CFP: Workshop on Empirical Research Methods in Information Security @ WWW2016

There is a growing use of empirical research methods to address cyber security challenges. This workshop aims to contribute to developing a common understanding of these methods and to set guidelines for using them for the different sub-disciplines including, but not limited to: security in software engineering, network security, security in social networks, and usable security. Researchers who work with these methods are encouraged to submit their work to the workshop and share their findings and experience. The submission deadline is January 4th, 2016. More information are available here.

The role of empirical research in engineering secure software

I gave, recently, a lecture at the Ninth International Crisis Management Workshop (CriM’15) and Oulu Winter School. The program included many interesting talks. I talked in my lecture about our experience on using interviews, questionnaires, and data analytics to address research questions in secure software development. The lecture video is publicly available here.

Talks at the First International Workshop on Agile Secure Software Development (ASSD’15)

The workshop was an opportunity to share experiences and ideas about developing secure software using the agile processes. Achim Bruker opened the sessions with an overview of the experience of SAP in developing secure software. This was followed by a talk given by Jesus Choliz about the application of Microsoft Secure Software Development process to develop secure systems for election management. Lotfi ben Othmane continued the discussion by showing how to use the B method to detect inconsistencies of access policies in the context of incremental software development. Next, Prof. Juha Röning gave an overview about his experience in developing a security fuzzing software and their use in agile processes. The spin-off that they created out of the project was recently sold to Synopsis.

In the afternoon session, Hela Oueslati discussed the challenges of developing secure software that she found in the literature and the evaluation of the validity of these challenges with respect to the agile values and principles and security practices. She asked the participants to help her in her future empirical studies about the topic. The presentation was followed by the talk of Clemens Teichmann, who shared the experience of his team in evaluating threat modeling methods for fitness to agile development processes used by their clients.

Afterwards, the attendees discussed the common point raised in the talks: the fast feedback and adaptation that agile processes offer helps development teams reducing the cost of developing secure software. Early identification of vulnerabilities allows for fixing them fast (It is easier to fix new code). In addition, development teams can develop, early in the projects, secure programming APIs or techniques to avoid the vulnerabilities they encounter in future development.

The full ARES program, including the workshop program is available here

New paper on risk estimation factors

The Computers & Security journal, Elsevier, published online, recently, our paper “Incorporating Attacker Capabilities in Risk Estimation and Mitigation“. We propose in this paper the use of attacker capabilities in estimating the risk of threats. Attacker capabilities are the abilities to access system resources that allow to attack the system. We argue that the proposed factor allows the experts to have close risk estimates, which would increase the confidence in risk assessment.

First International Workshop on Agile Secure Software Development

We are co-organizing the First International Workshop on Agile Secure Software Development (ASSD’15) with Prof. Röning from University of Oulu, Finland. The workshop is organized in conjunction with ARES 2015, which will be hosted in Toulouse, France from 24th to 28th August, 2015. We are looking for papers related to applying the agile approach and methods to develop secure software. We encourage you to submit your paper to the workshop.