Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities

Nafees, Tayyaba; Coull, Natalie; Ferguson, Ian; Sampson, Adam T.

doi:10.1007/978-3-319-62105-0_9

Cited by 5 publications

(4 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This observation suggests that the specific refactorings employed in the analyzed projects were not related to the reduction of the identified vulnerabilities. For instance, the study by Nafees et al [66] revealed that Extract Method refactoring can address Cross-Site Scripting (XSS) vulnerabilities, however, this vulnerability was not among the identified vulnerabilities in the current study.…”

Section: ) Effects Of Refactorings On Vulnerabilitiescontrasting

confidence: 57%

“…The premise could be the performed refactorings did not suffice to remove the identified vulnerabilities. However, we note that refactoring may have a positive impact on vulnerabilities as the study by Nafees et al [66] revealed that Extract Method refactorings can address Cross-Site Scripting (XSS) vulnerabilities. Another similar observation by Shaw et al [74] documented that Extract Method and Move Method refactorings can address overflow vulnerabilities.…”

Section: ) Impact Of Refactorings On Vulnerabilitiesmentioning

confidence: 91%

See 1 more Smart Citation

On the Impact of Refactorings on Software Attack Surface

Edward,

Nyamawe,

Elisa

2024

IEEE Access

View full text Add to dashboard Cite

Refactoring is one of the techniques mostly employed by software developers to improve the quality attributes of their systems. However, little has been done to investigate how refactoring operations specifically aimed at improving the internal structure of software can impact its security. Refactoring usually entails different code change operations including the decomposition of classes, methods, and the reallocation of code elements. While this refinement aims to improve the internal design of a system, it might inadvertently disperse security-critical code elements throughout the codebase. Consequently, such dispersion could affect the software attack surface. To this end, this paper presents an empirical study of 30 open-source software systems developed in Python, C, and Javascript. The study scrutinized two subsequent versions of each subject application to uncover the refactoring operations applied and the trend of the software attack surface. Specifically, the study focused on the injection or removal of bugs, code smells and other vulnerabilities aiming to discern the impact of refactorings on the software attack surface. Data was collected using wellknown tools, namely SonarQube, RefDiff, and PyReff. The findings suggest that refactorings can have multiple impacts (i.e., positive, negative, or neutral) on bugs, code smells, and vulnerabilities. The findings further confirm that developers must be aware of the combination or sequence of refactoring operations that can improve software quality without compromising its security.

show abstract

Section: ) Effects Of Refactorings On Vulnerabilitiescontrasting

confidence: 57%

Section: ) Impact Of Refactorings On Vulnerabilitiesmentioning

confidence: 91%

On the Impact of Refactorings on Software Attack Surface

Edward,

Nyamawe,

Elisa

2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Existing research has noted a gap in communication and security knowledge between developers and security experts (sometimes referred to as auditors) [110,111,165]. Some teams employ a developer who is interested in, or knowledgeable about, security to act as a liaison between the development team and security experts [165].…”

Section: Developers' Abilities and Expertisementioning

confidence: 99%

“…Given that security is not the developer's primary objective, as evidenced by our data and previous work [13,71,178], it is unrealistic to expect that developers will be able to remain current on such issues on top of their regular tasks. In addition, security information is often presented in a manner that is unusable to developers [110,111]. Thus, collaborating with those having high security expertise gives developers a chance to stay updated on security issues, and it could also lead to improving performance and motivation towards software security, as will be discussed later in this chapter.…”

Section: Collaborating In the Workplace ($ B )mentioning

confidence: 99%

The Human Dimension of Software Security and Factors Affecting Security Processes

Assal¹

View full text Add to dashboard Cite

Usable security for software developers is a research direction that is in its early stages. Even though developers typically have technical expertise, they are not necessarily security experts and need support when dealing with security. This thesis focuses on the human aspect of software security within the overall development process. The research employes mixed methods, including Cognitive Walkthrough studies, interviews, and an online survey study. We started by studying usability issues in code analysis tools, and designed a visual analysis environment to support collaboration between team members and exploration during security analysis of source code. However, while working on this project, we recognized that the software security problem is a larger one, relating to the overall process of integrating security in the Software Development Lifecycle. Thus, through 13 interviews and an online survey with 123 software developers, we explored real-life software security practices, how developers acquire security knowledge, and the motivators and deterrents to software security. Based on our empirical studies, we identified recommendations that can help support developers handle security throughout the Software Development Lifecycle. Our qualitative and quantitative analyses showed varying approaches to software security, and clear discrepancies between existing and best practices. Through exploring developers' motivations towards software security, we identified both extrinsic and intrinsic motivations. We found that acting towards software security volitionally and for reasons extending beyond mandates can lead to better security processes and better developer-engagement in these processes. Particularly, our studies showed that when the different entities involved in the Software Development Lifecycle communicate and collaborate, and when security is perceived as a common and shared responsibility, this can positively influence software security, e.g., by promoting internal motivations which are associated with improved engagement and cognitive abilities. Towards promoting the internalization of software security, we proposed a human-oriented model to describe how external software security motivations can be internalized. Our model highlights the interplay between security knowledge, team collaboration, and internal motivations to security. Working on this thesis was a wonderful journey with its fair share of ups and downs. I would like to express my gratitude to all those who have supported me throughout this journey. To my thesis supervisor, Sonia Chiasson, for her continuous support and guidance, and for her insights that helped elevate the quality of this research. Thank you Sonia for always being there, especially in the many sleepless nights before deadlines, and for being a friend, besides being a thesis supervisor. Thanks to the members of my committee, Heather Lipford, Timothy Lethbridge, Alejandro Ramirez, and Robert Biddle whose expertise, guidance, and feedback helped shape this thesis. I would e...

show abstract

Software Engineering: The First Line of Defense for Cybersecurity

Straub

2020

2020 IEEE 11th International Conference on Software Engineering and Service Science (ICSESS)

View full text Add to dashboard Cite

Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities

Cited by 5 publications

References 17 publications

On the Impact of Refactorings on Software Attack Surface

On the Impact of Refactorings on Software Attack Surface

The Human Dimension of Software Security and Factors Affecting Security Processes

Software Engineering: The First Line of Defense for Cybersecurity

Contact Info

Product

Resources

About