Information on Potential Vulnerabilities for New Requirements: Does It Help Writing Secure Code?

2021 IEEE 29th International Requirements Engineering Conference (RE) Pub Date : 2021-09-01 DOI:10.1109/RE51729.2021.00046

Md Rayhan Amin, Tanmay Bhowmik

{"title":"Information on Potential Vulnerabilities for New Requirements: Does It Help Writing Secure Code?","authors":"Md Rayhan Amin, Tanmay Bhowmik","doi":"10.1109/RE51729.2021.00046","DOIUrl":null,"url":null,"abstract":"Recent research advocates a proactive approach toward addressing software vulnerability, i.e., identification and resolution of vulnerability before exploitation. To that end, a recent research has presented a framework to provide developers with information related to vulnerabilities that are identified with the existing implementation of functionally similar requirements. The idea is that a developer implementing a new requirement may learn from such vulnerability information and write her code in a secure manner. Given the various technologies and platforms a developer may use to implement the current system, to what extent such information would actually help in writing secure code is an open question. In this paper, we design a human subject study to explore how information related to potential vulnerabilities influence developers on secure implementation of new requirements. We further present a pilot run of our study with 50 participants. The results suggest that developers with limited professional experience could be a major beneficiary of the information on potential vulnerabilities.","PeriodicalId":440285,"journal":{"name":"2021 IEEE 29th International Requirements Engineering Conference (RE)","volume":"51 8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE 29th International Requirements Engineering Conference (RE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/RE51729.2021.00046","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Recent research advocates a proactive approach toward addressing software vulnerability, i.e., identification and resolution of vulnerability before exploitation. To that end, a recent research has presented a framework to provide developers with information related to vulnerabilities that are identified with the existing implementation of functionally similar requirements. The idea is that a developer implementing a new requirement may learn from such vulnerability information and write her code in a secure manner. Given the various technologies and platforms a developer may use to implement the current system, to what extent such information would actually help in writing secure code is an open question. In this paper, we design a human subject study to explore how information related to potential vulnerabilities influence developers on secure implementation of new requirements. We further present a pilot run of our study with 50 participants. The results suggest that developers with limited professional experience could be a major beneficiary of the information on potential vulnerabilities.

查看原文本刊更多论文

关于新需求的潜在漏洞的信息:它是否有助于编写安全代码?

最近的研究提倡一种主动解决软件漏洞的方法，即在漏洞被利用之前识别和解决漏洞。为此，最近的一项研究提出了一个框架，为开发人员提供与功能相似需求的现有实现所识别的漏洞相关的信息。其思想是，实现新需求的开发人员可以从这些漏洞信息中学习，并以安全的方式编写代码。考虑到开发人员可能使用各种技术和平台来实现当前系统，这些信息在多大程度上真正有助于编写安全代码是一个悬而未决的问题。在本文中，我们设计了一个人类主题研究，以探索与潜在漏洞相关的信息如何影响开发人员对新需求的安全实现。我们进一步介绍了我们研究的试点运行，有50名参与者。结果表明，专业经验有限的开发人员可能是潜在漏洞信息的主要受益者。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 IEEE 29th International Requirements Engineering Conference (RE)

自引率

0.00%

发文量