Communicating on Security within Software Development Issue Tracking
- URL: http://arxiv.org/abs/2308.13480v1
- Date: Fri, 25 Aug 2023 16:38:27 GMT
- Title: Communicating on Security within Software Development Issue Tracking
- Authors: L\'eon McGregor, Manuel Maarek, Hans-Wolfgang Loidl
- Abstract summary: We analyse interfaces from prominent issue trackers to see how they support security communication and how they integrate security scoring.
Users in our study were not comfortable with CVSS analysis, though were able to reason in a manner compatible with CVSS.
This suggests that adding improvements to communication through CVSS-like questioning in issue tracking software can elicit better security interactions.
- Score: 0.0
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: During software development, balancing security and non security issues is
challenging. We focus on security awareness and approaches taken by
non-security experts using software development issue trackers when considering
security. We first analyse interfaces from prominent issue trackers to see how
they support security communication and how they integrate security scoring.
Then, we investigate through a small scale user study what criteria developers
take when prioritising issues, in particular observing their attitudes to
security.
We find projects make reference to CVSS summaries (Common Vulnerability
Scoring System), often alongside CVE reports (Common Vulnerabilities and
Exposures), but issue trackers do not often have interfaces designed for this.
Users in our study were not comfortable with CVSS analysis, though were able to
reason in a manner compatible with CVSS. Detailed explanations and advice were
seen as helpful in making security decisions. This suggests that adding
improvements to communication through CVSS-like questioning in issue tracking
software can elicit better security interactions.
Related papers
- Contextualizing Security and Privacy of Software-Defined Vehicles: State of the Art and Industry Perspectives [7.160802183553593]
Survey explores the cybersecurity and privacy challenges posed by Software-Defined Vehicles (SDVs)
SDVs increasingly integrate features like Over-the-Air (OTA) updates and Vehicle-to-Everything (V2X) communication.
Transition to SDVs also raises significant privacy concerns, with vehicles collecting vast amounts of sensitive data.
arXiv Detail & Related papers (2024-11-15T22:30:07Z) - Multimodal Situational Safety [73.63981779844916]
We present the first evaluation and analysis of a novel safety challenge termed Multimodal Situational Safety.
For an MLLM to respond safely, whether through language or action, it often needs to assess the safety implications of a language query within its corresponding visual context.
We develop the Multimodal Situational Safety benchmark (MSSBench) to assess the situational safety performance of current MLLMs.
arXiv Detail & Related papers (2024-10-08T16:16:07Z) - Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects [0.11999555634662631]
This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects.
We have identified common issues in outdated or unmaintained dependencies, that pose significant security risks.
Results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape.
arXiv Detail & Related papers (2024-08-26T13:46:48Z) - Safetywashing: Do AI Safety Benchmarks Actually Measure Safety Progress? [59.96471873997733]
We propose an empirical foundation for developing more meaningful safety metrics and define AI safety in a machine learning research context.
We aim to provide a more rigorous framework for AI safety research, advancing the science of safety evaluations and clarifying the path towards measurable progress.
arXiv Detail & Related papers (2024-07-31T17:59:24Z) - Cross-Modality Safety Alignment [73.8765529028288]
We introduce a novel safety alignment challenge called Safe Inputs but Unsafe Output (SIUO) to evaluate cross-modality safety alignment.
To empirically investigate this problem, we developed the SIUO, a cross-modality benchmark encompassing 9 critical safety domains, such as self-harm, illegal activities, and privacy violations.
Our findings reveal substantial safety vulnerabilities in both closed- and open-source LVLMs, underscoring the inadequacy of current models to reliably interpret and respond to complex, real-world scenarios.
arXiv Detail & Related papers (2024-06-21T16:14:15Z) - What Can Self-Admitted Technical Debt Tell Us About Security? A
Mixed-Methods Study [6.286506087629511]
Self-Admitted Technical Debt (SATD)
can be deemed as dreadful sources of information on potentially exploitable vulnerabilities and security flaws.
This work investigates the security implications of SATD from a technical and developer-centred perspective.
arXiv Detail & Related papers (2024-01-23T13:48:49Z) - Investigate how developers and managers view security design in software [0.0]
We interviewed a team of 7 developers and 2 managers, who worked in two teams to build a real-life software product that was recently compromised by a cyber-attack.
We obtained their views on the reasons for the successful attack by the malware and took their recommendations on the important aspects to consider regarding security.
arXiv Detail & Related papers (2023-10-22T22:44:02Z) - Leveraging Traceability to Integrate Safety Analysis Artifacts into the
Software Development Process [51.42800587382228]
Safety assurance cases (SACs) can be challenging to maintain during system evolution.
We propose a solution that leverages software traceability to connect relevant system artifacts to safety analysis models.
We elicit design rationales for system changes to help safety stakeholders analyze the impact of system changes on safety.
arXiv Detail & Related papers (2023-07-14T16:03:27Z) - Getting Users Smart Quick about Security: Results from 90 Minutes of
Using a Persuasive Toolkit for Facilitating Information Security Problem
Solving by Non-Professionals [2.4923006485141284]
A balanced level of user engagement in security is difficult to achieve due to difference of priorities between the business perspective and the security perspective.
We have developed a persuasive software toolkit to engage users in structured discussions about security vulnerabilities in their company.
In the research reported here we examine how non-professionals perceived security problems through a short-term use of the toolkit.
arXiv Detail & Related papers (2022-09-06T11:37:21Z) - A System for Automated Open-Source Threat Intelligence Gathering and
Management [53.65687495231605]
SecurityKG is a system for automated OSCTI gathering and management.
It uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors.
arXiv Detail & Related papers (2021-01-19T18:31:35Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.