Abstract
Security is increasingly recognized as an important aspect of software development processes. Improving processes for security in agile teams is very important to streamline the focus on security and keep the agility of the software development process. In Visma we use data to drive improvement of security services provided to the software teams. The improvement process involves changing the services or their structures after some period of usage and experience with it, driven by data collected during operations. We systematically identify the areas that need changes in order to become more valuable for the development teams and for the security program. In this paper we have described the improvement process used on the security static analysis service in Visma, the data we have used for that, how we extracted this data from the Static Application Security Testing (SAST) tool, the lessons learned and also provide some guidelines to other organizations that would like to use this method in their own services.
Supported by Visma.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Beck, K., Andres, C.: Extreme Programming Explained: Embrace Change, 2nd edn. Addison-Wesley, Boston (2004)
Martin, R.C.: Agile Software Development: Principles, Patterns, and Practices. Prentice Hall, Upper Saddle River (2003)
Abril, P.S., Plant, R.: The patent holder’s dilemma: buy, sell, or troll? Commun. ACM 50(1), 36–44 (2007). https://doi.org/10.1145/1188913.1188915
Oyetoyan, T.D., Milosheska, B., Grini, M., Cruzes, D.S.: Myths and facts about static application security testing tools: an action research at telenor digital. In: XP, pp. 86–103 (2018)
Imtiaz, N., Murphy, B., Williams, L.: How do developers act on static analysis alerts? an empirical study of coverity usage. In: ISSRE, pp. 323–333 (2019)
Baca, D., Carlsson, B., Petersen, K., Lundberg, L.: Improving software security with static automated code analysis in an industry setting. Softw. Pract. Exp. 43(3), 259–279 (2013)
Sadowski, C., Aftandilian, E., Eagle, A., Miller-Cushon, L., Jaspan, C.: Lessons from building static analysis tools at google. Commun. ACM 61(4), 58–66 (2018)
Distefano, D., Fähndrich, M., Logozzo, F., O’Hearn, P.W.: Scaling static analyses at Facebook. Commun. ACM 62(8), 62–70 (2019)
Chess, B., McGraw, G.: Static analysis for security. IEEE Secur. Priv. 2(6), 76–79 (2004). https://doi.org/10.1109/MSP.2004.111
Austin, A., Williams, L.: One technique is not enough: a comparison of vulnerability discovery techniques. In: ESEM, pp. 97–106 (2011)
Dukes, L.S., Yuan, X., Akowuah, F.: A case study on web application security testing with tools and manual testing. In: 2013 Proceedings of IEEE Southeastcon, pp. 1–6. IEEE (2013)
Satyanarayana, V., Sekhar, M.V.B.C.: Static analysis tool for detecting web application vulnerabilities. Int. J. Modern Eng. Res. (IJMER) 1(1), 127–133 (2011)
Goseva-Popstojanova, K., Perhinschi, A.: On the capability of static code analysis to detect security vulnerabilities. Inf. Softw. Technol. 68, 18–33 (2015)
Ma, Z., Cooper, P., Daly, D., Ledo, L.: Existing building retrofits: methodology and state-of-the-art. Energy Build 55, 889–902 (2012). ISSN 0378–7788, https://doi.org/10.1016/j.enbuild.2012.08.018
Heckman, S., Williams, L.: A systematic literature review of actionable alert identification techniques for automated static code analysis. Inf. Softw. Technol. 53(4), 363–387 (2011)
Cruzes, D.S., Johansen, E.A.: Building an ambidextrous software security initiative, to appear in balancing agile and disciplined engineering and management approaches for IT services and software products. In: Mora, M., Marx Gómez, J., O’Connor, R., Buchalcevova, A. (eds). IGI Global (2020)
Iovan, M., Cruzes, D.S., Johansen, E.A.: Empowerment of security engineers through security chartering in Visma. In: XP 2020, Experience Report (2020). https://www.agilealliance.org/wpcontent/uploads/2020/xxx
Acknowledgments
We would like to thank Visma and all the participants of the Security process improvement.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Iovan, M., Cruzes, D.S. (2022). Data-Driven Improvement of Static Application Security Testing Service: An Experience Report in Visma. In: Taibi, D., Kuhrmann, M., Mikkonen, T., Klünder, J., Abrahamsson, P. (eds) Product-Focused Software Process Improvement. PROFES 2022. Lecture Notes in Computer Science, vol 13709. Springer, Cham. https://doi.org/10.1007/978-3-031-21388-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-21388-5_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-21387-8
Online ISBN: 978-3-031-21388-5
eBook Packages: Computer ScienceComputer Science (R0)