AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 17:05 - 17:50
Time for Addressing Software Security Issues: Prediction Models and Impacting Factors

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Authors: Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, and Achim D. Brucker.

Finding and fixing software vulnerabilities has become a major struggle for most software-development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment.

We present in this talk our work on the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process and we show how the issue fix time could be used to monitor the fixing process. We used in this work three basic machine-learning methods and evaluated their predictive power in predicting the time to fix issues. Interestingly, the generated prediction models indicate that the impact of vulnerability type has a small impact on issue fix time. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues.

avatar for Lotfi ben Othmane

Lotfi ben Othmane

Head of Department Secure Software Engineering, Fraunhofer SIT
Lotfi ben Othmane is currently the head of the Department Secure Software Engineering group at Fraunhofer SIT. He received his Ph.D. degree from Western Michigan University (WMU), USA, in 2010 and the M.S. degree from University of Sherbrooke, Canada in 2000. He worked on several... Read More →

Thursday June 30, 2016 17:05 - 17:50 CEST
Room D (Tiziano Ballrom Sec. 3)