Presentation is loading. Please wait.

Presentation is loading. Please wait.

Factors Impacting the Effort Required to Fix Security Vulnerabilities

Published byMarilyn Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "Factors Impacting the Effort Required to Fix Security Vulnerabilities"— Presentation transcript:

1 Factors Impacting the Effort Required to Fix Security Vulnerabilities
Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, Achim Bruker, Philip Miseldine 09 September 2015

2 Vulnerabilities Fixing Process at SAP
Fixing Processes Released software  SAP security response process Under development software  Fixing process for security testing Participants include Central security teams IMS maintenance organization Security experts Developers ….

3 Introduction - The Problem
Goal: Predict the time to spend on analyzing and fixing a given vulnerability? Let t = f (x1, ……xj) What are x1……xj ? SAP collects data about fixing security vulnerabilities. However, the data does not capture important issues such as team setup. This work collects information about how really security fixes are done through interviews of the experts. The results are the result of outside observers about the practices at SAP AG—they are not our own.

4 Introduction - Motivation
Cost of implementing security fixes Vulnerabilities Average fix time (min) Dead Code (unused methods) 2.6 Poor logging: system output stream 2.9 XSS (stored) 9.6 Lack of authorization check 6.9 Unsafe threading 8.5 Null dereference 10.2 SQL injection 97.5 Cornell, RSA 2012 The only factor considered is vulnerability type What about the others?

5 The Study - Scope Goal: Identify the factors that impact the fixing time Method: Interview participants in the vulnerability fixing process Result: The major factors that impact the fixing time

6 The Study - Conduct of the Study
Interviews were conducted from 8 to 12 Dec. 2014 Number of participants 12 (12 hours) 9 from Germany and 3 from India Security experts, developers, coordinators, project leaders NetWeaver experts, custom application experts, application experts Selection of participants Preparation of the questions Interviews Transcribe the interviews Code the interviews Consolidate the data Analyze the results

7 The Study - Conduct of the Study – Cont.
Selection of participants Preparation of the questions Each interview is transcribed into about 16 pages Identified 21 code classes from 3 sample interviews Coded each transcript in a report of 4 pages Each interviewee is asked to review the report of his interview Interviews Transcribe the interviews Code the interviews Consolidate the data Analyze the results

8 The Study - Conduct of the Study - cont.
Coding examples “Code injections are difficult to fix” vulnerability type Vulnerability characteristics “If the function module is the same in all these 12 or 20 releases […] , then I just have to do one correction” Similarity of code in the different releases Software structure

9 Factors that Impact the Vulnerability Fix time
Factor categories # of factors Freq. Vulnerabilities characteristics 6 9 Software structure 19 10 Technology diversification 3 5 Communication and collaboration 7 8 Availability and quality of information and documentation Experience and knowledge 12 11 Code analysis tool 4 Other

10 Observed Fixing Process
Case 1: Analysis and design of global solution Implemen-tation Test Release Pre-analysis Case 2: Analysis and design area solution This is the actual process. It maps the simplified process from the interviews, from the reality and not from the theoretical process in documents This is how the process is implemented in practice and observed by external analyst We found three cases for fixing issues Case 1: Require design of a global solution Impacts several products May better be addressed using API change Addressed by several teams and involves the central security team Case 2: Require design of a solution specific to a group of products Apply to a specific development area—e.g., mobile applications area The security expert of the area designs the solution with the developers Case 3: Local solution Apply to a specific vulnerability instance The developer fixes the issue with potential help from colleagues Case 3: Analysis and design local solution Implemen-tation Test Release Iterations among successive steps are performed implicitly / not marked

11 Take-Away Vulnerability type is one among many factors (65) that impact the vulnerability fix time The 8 factor categories reflect the main areas for improving the vulnerability fixing processes E.g., software structure, training, etc.

12 Threats to Validity Control of the threats to the validity of the results The interviewees are diversified 2 researchers coded each interview and the results are consolidated The participants validated the reports of their interviews Weaknesses Used one method to identify the factors—interviewing experts Interviewed only 2 developers External use Diversity of product areas Distribution of development teams

13 Lessons learned The main interview questions shall help the interviewees to tell their own stories “What” questions are inefficient to enumerate elements The participants sometimes have their own messages to deliver Vulnerability fixing processes are as many as the process participants Do not try to base the fix effort estimate on “a process”

14 Thank you lotfi.ben.othmane@sit.fraunhofer.de

Download ppt "Factors Impacting the Effort Required to Fix Security Vulnerabilities"

Similar presentations

Requirements Specification and Management

Requirements Specification and Management
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
HOW DO PROFESSIONAL DEVELOPERS COMPREHEND TO SOFTWARE Report submitted by Tobias Roehm, Rebecca Tiarks, Rainer Koschke, Walid Maalej.

HOW DO PROFESSIONAL DEVELOPERS COMPREHEND TO SOFTWARE Report submitted by Tobias Roehm, Rebecca Tiarks, Rainer Koschke, Walid Maalej.
Estimating Defect Density. True genius resides in the capacity for evaluation of uncertain, hazardous and conflicting information Winston Churchill.

Estimating Defect Density. True genius resides in the capacity for evaluation of uncertain, hazardous and conflicting information Winston Churchill.
The “Lifecycle” of Software. Chapter 5. Alternatives to the Waterfall Model The “Waterfall” model can mislead: boundaries between phases are not always.

The “Lifecycle” of Software. Chapter 5. Alternatives to the Waterfall Model The “Waterfall” model can mislead: boundaries between phases are not always.
Computer Engineering 203 R Smith Project Tracking 12/2008 1 Project Tracking Why do we want to track a project? What is the projects MOV? – Why is tracking.

Computer Engineering 203 R Smith Project Tracking 12/ Project Tracking Why do we want to track a project? What is the projects MOV? – Why is tracking.
Internet Management Consultants and Solution Providers Outstanding CMS Projects Lessons from the Front Line.

Internet Management Consultants and Solution Providers Outstanding CMS Projects Lessons from the Front Line.
Ian Bui SYSM 6309 UTD - Spring 2012. Brave New World of R.E.  Multiple teams spread across the globe  Management separated from Development  Marketing.

Ian Bui SYSM 6309 UTD - Spring Brave New World of R.E.  Multiple teams spread across the globe  Management separated from Development  Marketing.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Avra Software CMPUT 770 - Process Quality and Software Assessment Case Study - slide#1©P. Sorenson and Amr Kamel Assessment Plan for Assessment Plan for.

Avra Software CMPUT Process Quality and Software Assessment Case Study - slide#1©P. Sorenson and Amr Kamel Assessment Plan for Assessment Plan for.
SE is not like other projects. l The project is intangible. l There is no standardized solution process. l New projects may have little or no relationship.

SE is not like other projects. l The project is intangible. l There is no standardized solution process. l New projects may have little or no relationship.
User Experience Design Goes Agile in Lean Transformation – A Case Study (2012 Agile Conference) Minna Isomursu, Andrey Sirotkin (VTT Technical Research.

User Experience Design Goes Agile in Lean Transformation – A Case Study (2012 Agile Conference) Minna Isomursu, Andrey Sirotkin (VTT Technical Research.
Requirements Management

Requirements Management
Project Life Cycle Introduction and Overview © Ed Green Penn State University All Rights Reserved.

Project Life Cycle Introduction and Overview © Ed Green Penn State University All Rights Reserved.
Chapter 3 Needs Assessment

Chapter 3 Needs Assessment
Information Management Capacity Check (IMCC)

Information Management Capacity Check (IMCC)
Health Care Cooperative Proposal for Training Services eLearnable Pam Rubinoff, Allan Rotgers, Victoria Villescas May 12, 2013.

Health Care Cooperative Proposal for Training Services eLearnable Pam Rubinoff, Allan Rotgers, Victoria Villescas May 12, 2013.
Effective Methods for Software and Systems Integration

Effective Methods for Software and Systems Integration
The Struggles of New College Graduates in their First Software Development Job Andrew Begel, Human Interactions in Programming, MS Research Beth Simon.

The Struggles of New College Graduates in their First Software Development Job Andrew Begel, Human Interactions in Programming, MS Research Beth Simon.
Team Launch Introduction. Real projects are large and complex, and most software is created by teams Merely throwing people together does not result in.

Team Launch Introduction. Real projects are large and complex, and most software is created by teams Merely throwing people together does not result in.

Similar presentations

Ads by Google