skip to main content
10.1145/3330204.3330257acmotherconferencesArticle/Chapter ViewAbstractPublication PagessbsiConference Proceedingsconference-collections
research-article

Vulnerability detection techniques and tools and their relationship to agile methods and software quality and service models

Published: 20 May 2019 Publication History

Abstract

Information systems need to be safe to achieve their goals. Thus, during development one needs to detect possible vulnerabilities present in the software. This paper aims to describe the use of vulnerability detection techniques and tools (VDTT) in complex environments and its relationship to software quality and service models in teams that use agile methods. To do so, a survey was carried out listing 18 techniques and tools that used three well-known processes of secure software development. The survey was applied to 76 members of agile software development teams who have already deployed, are in the process of deploying, or are going to deploy vulnerability detection techniques and tools in the projects. From the data collected, we were able describe the use of VDTT in complex development environments and associations between the adoption of software quality and service models and the use of VDTTs. For this purpose, Fischer's exact test was used to analyze and interpret the associations found.

References

[1]
I. Sommerville. Software Engineering, 9a edition. Pearson Education, Boston, Massachusetts, 2011.
[2]
K. Beck. Extreme programming explained: Embrace change, 2a edition. Addison -Wesley, Upper Saddle River, NJ, 2000.
[3]
OWASP. OWASP Top Ten. Disponível em: <https://www.owasp.org/index.php/Top_10-2017_Top_10>. Acesso em 30/09/2017, 2017.
[4]
M. Howard, and S. Lipner. The security development lifecycle, 1a edition. Microsoft Press Redmond, WA, USA, 2006.
[5]
E. W, Vianna & J. H. C., Fernandes. O gestor da segurança da informação no espaço cibernético governamental. Brazilian Journal of Information Science, Universidade Estadual Paulista-UNESP, Programa de Pós-Graduação em Ciência da Informação, 9(1), 1--28, 2015.
[6]
G. McGraw. Software security: building security in. Addison-Wesley Professional, 1a edition, 2006.
[7]
OWASP. OWASP CLASP Concepts. Disponível em: <https://www.owasp.org/index.php/CLASP_Concepts>. Acesso em 30/09/2017, 2016.
[8]
G., Márquez, P., Silvia, R., Noel., S., Matalonga., & H., Astudillo. Identifying emerging security concepts using software artifacts through an experimental case. In Chilean Computer Science Society (SCCC), 1--6, 2015.
[9]
S., Bartsch. Practitioners' perspectives on security in agile development. In Availability, Reliability and Security (ARES), Sixth International Conference on, 479--484, 2011.
[10]
D., Baca, M., Boldt, B., Carlsson & A., Jacobsson. 10th International Conference on, 11--19, 2015.
[11]
D., S., Cruzes, M., Felderer, T., D., Oyetoyan, T., M., Gander, I., Pekaric. "How is security testing done in agile teams? a cross-case analysis of four software teams". In International Conference on Agile Software Development., pages 201--216, 2017.
[12]
T. D., Oyetoyan, D. S., Cruzes, and M. J. Gilje. "An empirical study on the relationship between software security skills, usage and training needs in agile settings". Availability, Reliability, and Security in Information Systems, 2016.
[13]
L., Ben Othmane, P., Angin, H., Weffers, & B., Bhargava. Extending the agile development process to develop acceptably secure software, 11(6), 497--509, 2014.
[14]
J., Gregoire, K., Buyens, B. D., Win, R., Scandariato, & W. Joosen. On the secure software development process: CLASP and SDL compared. In Proceedings of the Third International Workshop on Software Engineering for Secure Systems, 2007.
[15]
D., Baca., M., Boldt., B., Carlsson., & A., Jacobsson. A novel security-enhanced agile software development process applied in an industrial setting. 10th International Conference on, 11--19, 2015.
[16]
T. D., Oyetoyan, D. S., Cruzes, and M. J. Gilje. "An empirical study on the relationship between software security skills, usage and training needs in agile settings", 2016.
[17]
R, Khaim, S., Naz, F., Abbas, N., Iqbal, M., Hamayun, and R.Pakistan. A review of security integration technique in agile software development. International Journal of Software Engineering & Applications, 7(3), 2016.
[18]
R. C. Seacord and A. D. Householder. A Structured approach to classifying security vulnerabilities. CMU SEI. Disponível em: <https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=7377>. Acesso em: 30/09/2017, 2005.
[19]
NIST. National Institute of Standards and Technology. National Vulnerability Database - NVD. Disponível em: <https://nvd.nist.gov/vuln>. Acesso: em 30/09/2017, 2009.
[20]
W. Gtieskamp, Y. Gurevich, W. Schulte, and M. Veanes. Generating finite state machines. In ACM SIGSOFT, pages 112--122. ACM, 2002.
[21]
W. Stallings. Computer security. Pearson Education, Boston, Massachusetts, 2a edition, 2012.
[22]
J. M. S. Pinheiro. Ameaças e ataques aos sistemas de informação: Prevenir e antecipar. In Cadernos UniFOA, pages 1--11. UniFOA, 2011.
[23]
CERT.br. Centro de Estudos, Resposta e Tratamento a Incidentes de Segurança no Brasil. Cartilha de segurança para internet: ataques na internet. Disponível em: <https://cartilha.cert.br/>. Acesso em: 30/09/2017, 2012.
[24]
E. W. Vianna, and J. H. C. Fernandes. O gestor da segurança da informação no espaço cibernético governamental: Grandes desafios, novos perfis e procedimentos. In Brazilian Journal of Information Science, 9(1): 1--28. UNESP, 2015.
[25]
D. Verdon, and G. McGraw. Risk analysis. In Security & Privacy, IEEE, pages 79--84. IEEE, 2004.
[26]
I. Group. IEEE Standard classification for software anomalies. In IEEE Standards Associations, pages 1--24. IEEE, 2010.
[27]
T. S. Weber. Tolerância a falhas: Conceitos e exemplos. In: Programa de Pós-Graduação--Instituto de Informática-UFRGS, pages 1--5, 2003.
[28]
McGraw, G., and Morrissett, G. Attacking malicious code. In IEEE Computer Society, pages 1--11. IEEE, 2000.
[29]
Bishop, M. Computer security: art and science. Addison-Wesley Professional, 2003.
[30]
F. Cristofoli, E. P. V. Prado, and H. Takaoka. Gestão da Terceirização da Tecnologia da Informação Baseada nas Práticas de Governança In International Conference on Information Systems and Technology Management. 2012.
[31]
Axelos. IT Service Management. What is ITIL? Disponível em: <https://www.axelos.com/best-practice-solutions/itil/what-is-it-service-management>. Acesso em 30/09/2017, 2018.
[32]
CMMI. IT What Is Capability Maturity Model Integration (CMMI)®? Disponível:<https://cmmiinstitute.com/>. Acesso em 30/09/2017, 2018.
[33]
Softex. Guia Geral de Software. Disponível em:<https://www.softex.br/mpsbr/guias/>. Acesso em 30/09/2017, 2016.
[34]
L. S. Wrightman, S. W. Cook, and C. Selltiz. Research Methods in Social Relations, 3a edition. Holt, Rinehart Winston, New York, 1976.
[35]
D. A. Aaker, V. Kumar, G. S. Day. Marketing research, 7a edition. John Wiley's & Sons, New York, USA, 2004.
[36]
T. C. Kinnear, and J. R. Taylor. Marketing Research: an applied approach., International Student Edition, McGraw-Hill, Tokyo, 1979.
[37]
E. Babbie, E. Halley, and F. J. Zanino. Adventures in Social Research. California: Sage Publications, 2000.
[38]
R. A. Fisher, J. H. Bennett. Statistical methods, experimental design, and scientific inference, 1990.
[39]
L. C. M. C. Santos., M. L. Chaim., E. P. V. Prado. Instrumento do survey. Disponível em:<https://github.com/SAEG1/InstrumentoEstudodeCaso.git/> Acesso em 08/03/2019, 2018.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SBSI '19: Proceedings of the XV Brazilian Symposium on Information Systems
May 2019
623 pages
ISBN:9781450372374
DOI:10.1145/3330204
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

  • SBC: Brazilian Computer Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 May 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Agile Methods
  2. Software Development
  3. Survey
  4. Vulnerability Detection
  5. methods and software quality and service models

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

SBSI'19

Acceptance Rates

Overall Acceptance Rate 181 of 557 submissions, 32%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 282
    Total Downloads
  • Downloads (Last 12 months)12
  • Downloads (Last 6 weeks)2
Reflects downloads up to 14 Feb 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media