skip to main content
10.1145/3377812.3381393acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

The effects of required security on software development effort

Published: 01 October 2020 Publication History

Abstract

Problem: developers are increasingly adopting security practices in software projects in response to cyber threats. Despite the additional effort required to perform those practices, current cost models either do not consider security as an input or were not properly validated with empirical data. Hypothesis: increasing degrees of application of security practices and security features, motivated by security risks, lead to growing levels of added software development effort. Such an effort increase can be quantified through a parametric model that takes as input the usage degrees of security practices and requirements and outputs the additional software development effort. Contributions: the accurate prediction of secure software development effort will support the provision of a proper amount of resources to projects. We also expect that the quantification of the security effort will contribute to advance research on the cost-effectiveness of software security.

References

[1]
2019. Common Criteria : New CC Portal. https://www.commoncriteriaportal.org/index.cfm?
[2]
Barry W. Boehm. 1981. Software Engineering Economics (1 edition ed.). Prentice Hall, Englewood Cliffs, N.J.
[3]
Barry W. Boehm, Chris Abts, A. Winsor Brown, Sunita Chulani, Bradford K. Clark, Ellis Horowitz, Ray Madachy, Donald J. Reifer, and Bert Steece. 2000. Software Cost Estimation with COCOMO II (1st ed.). Prentice Hall Press, Upper Saddle River, NJ, USA.
[4]
S. A. Butler. 2002. Security attribute evaluation method: a cost-benefit approach. In Proceedings of the 24th International Conference on Software Engineering. ICSE 2002. 232--240.
[5]
Golriz Chehrazi, Irina Heimbach, and Oliver Hinz. 2016. The Impact of Security by Design on the Success of Open Source Software. In ECIS 2016 Proceedings. 18. http://aisel.aisnet.org/ecis2016_rp/179
[6]
Raoul Chiesa and Marco De Luca Saggese. 2016. Data Breaches, Data Leaks, Web Defacements: Why Secure Coding Is Important. Proceedings of 4th International Conference in Software Engineering for Defence Applications (2016), 261--271.
[7]
S. Chulani. 2001. Bayesian analysis of software cost and quality models. In Proceedings IEEE International Conference on Software Maintenance. ICSM 2001. 565--568.
[8]
G. Deepa and P. Santhi Thilagam. 2016. Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information and Software Technology 74 (June 2016), 160--180.
[9]
Bob Duncan and Mark Whittington. 2014. Compliance with Standards, Assurance and Audit: Does This Equal Security?. In Proceedings of the 7th International Conference on Security of Information and Networks (SIN '14). ACM, New York, NY, USA, 77:77--77:84.
[10]
D. Geer. 2010. Are Companies Actually Using Secure Development Life Cycles? Computer 43, 6 (June 2010), 12--16.
[11]
Daniel Hein and Hossein Saiedian. 2009. Secure Software Engineering: Learning from the Past to Address Future Challenges. Information Security Journal: A Global Perspective 18, 1 (Feb. 2009), 8--25.
[12]
Chad Heitzenrater, Rainer Bohme, and Andrew Simpson. 2016. The Days Before Zero Day: Investment Models for Secure Software Engineering. 14.
[13]
Chad Heitzenrater and Andrew Simpson. 2016. A Case for the Economics of Secure Software Development. In Proceedings of the 2016 New Security Paradigms Workshop (NSPW '16). ACM, New York, NY, USA, 92--105.
[14]
C. Heitzenrater and A. Simpson. 2016. Software Security Investment: The Right Amount of a Good Thing. In 2016 IEEE Cybersecurity Development (SecDev). 53--59.
[15]
Samuel Paul Kaluvuri, Michele Bezzi, and Yves Roudier. 2014. A Quantitative Analysis of Common Criteria Certification Practice. In Trust, Privacy, and Security in Digital Business, Claudia Eckert, Sokratis K. Katsikas, and Günther Pernul (Eds.). Vol. 8647. Springer International Publishing, Cham, 132--143.
[16]
Jyrki Kontio, Johanna Bragge, and Laura Lehtola. 2008. The Focus Group Method as an Empirical Tool in Software Engineering. In Guide to Advanced Empirical Software Engineering, Forrest Shull, Janice Singer, and Dag I. K. Sjøberg (Eds.). Springer London, London, 93--116.
[17]
R. Kuhn, M. Raunak, and R. Kacker. 2017. It Doesn't Have to Be Like This: Cybersecurity Vulnerability Trends. IT Professional 19, 6 (Nov. 2017), 66--70.
[18]
Min-gyu Lee, Hyo-jung Sohn, Baek-min Seong, and Jong-bae Kim. 2016. Secure Software Development Lifecycle which supplements security weakness for CC certification. International Information Institute (Tokyo). Information; Koganei 19, 1 (Jan. 2016), 297--302. http://search.proquest.com/docview/1776684205/abstract/3E850391C94D4932PQ/1
[19]
M. Howard and S. Lipner. 2006. The Security Development Lifecycle. Microsoft Press, Redmond, WA, USA.
[20]
Gary McGraw. 2006. Software Security: Building Security In (1 edition ed.). Addison-Wesley Professional, Upper Saddle River, NJ.
[21]
Tim Menzies, Ye Yang, George Mathew, Barry Boehm, and Jairus Hihn. 2017. Negative results for software effort estimation. Empirical Software Engineering 22, 5 (Oct. 2017), 2658--2683.
[22]
Sammy Migues, John Steven, and Mike Ware. 2019. Building Security in Maturity Model (BSIMM) - Version 10. Technical Report 10. Synopsys Software Integrity Group. 92 pages. https://www.bsimm.com/download.html
[23]
Mohammed M. Olama and James Nutaro. 2013. Secure it now or secure it later: the benefits of addressing cyber-security from the outset. In Cyber Sensing 2013, Vol. 8757. International Society for Optics and Photonics, 87570L.
[24]
OWASP SAMM Project. 2017. Software Assurance Maturity Model (SAMM): A guide to building security into software development - v1.5. Technical Report Version 1.5. 72 pages. https://owaspsamm.org/
[25]
SAFECode. 2018. Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Lifecycle Program. https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf
[26]
Elaine Venson, Reem Alfayez, Gomes Marília M. F., Figueiredo Rejane M. C., and Barry Boehm. 2019. The Impact of Software Security Practices on Development Effort: An Initial Survey. In 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). 1--12. ISSN: 1949-3789, 1949-3770.
[27]
Elaine Venson, Xiaomeng Guo, Zidi Yan, and Barry Boehm. 2019. Costing Secure Software Development: A Systematic Mapping Study. In Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES '19). ACM, New York, NY, USA, 9:1--9:11. event-place: Canterbury, CA, United Kingdom.
[28]
Vilhelm Verendel. 2009. Quantified Security is a Weak Hypothesis: A Critical Survey of Results and Assumptions. In Proceedings of the 2009 Workshop on New Security Paradigms Workshop (NSPW '09). ACM, New York, NY, USA, 37--50. event-place: Oxford, United Kingdom.
[29]
Ye Yang, Jing Du, and Qing Wang. 2015. Shaping the Effort of Developing Secure Software. Procedia Computer Science 44 (2015), 609 -- 618.
[30]
He Zhang, Muhammad Ali Babar, and Paolo Tell. 2011. Identifying relevant studies in software engineering. Information and Software Technology 53, 6 (June 2011), 625--637.

Cited By

View all
  • (2021)Infiltrating security into development: exploring the world’s largest software security studyProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3473926(1326-1336)Online publication date: 20-Aug-2021
  • (2021)Framework for Eliciting Security Requirements of Web Application from Business Users2021 25th International Computer Science and Engineering Conference (ICSEC)10.1109/ICSEC53205.2021.9684600(216-221)Online publication date: 18-Nov-2021

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings
June 2020
357 pages
ISBN:9781450371223
DOI:10.1145/3377812
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

  • KIISE: Korean Institute of Information Scientists and Engineers
  • IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. secure software development
  2. software cost model
  3. software security practices

Qualifiers

  • Research-article

Conference

ICSE '20
Sponsor:

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)24
  • Downloads (Last 6 weeks)0
Reflects downloads up to 30 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2021)Infiltrating security into development: exploring the world’s largest software security studyProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3473926(1326-1336)Online publication date: 20-Aug-2021
  • (2021)Framework for Eliciting Security Requirements of Web Application from Business Users2021 25th International Computer Science and Engineering Conference (ICSEC)10.1109/ICSEC53205.2021.9684600(216-221)Online publication date: 18-Nov-2021

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media