Communicating on Security within Software Development Issue Tracking

Research output: Contribution to conferencePaperpeer-review

11 Downloads (Pure)

Abstract

During software development, balancing security and non security issues is challenging. We focus on security awareness and approaches taken by non-security experts using software development issue trackers when considering security. We first analyse interfaces from prominent issue trackers to see how they support security communication and how they integrate security scoring. Then, we investigate through a small scale user study what criteria developers take when prioritising issues, in particular observing their attitudes to security.

We find projects make reference to CVSS summaries (Common Vulnerability Scoring System), often alongside CVE reports (Common Vulnerabilities and Exposures), but issue trackers do not often have interfaces designed for this. Users in our study were not comfortable with CVSS analysis, though were able to reason in a manner compatible with CVSS. Detailed explanations and advice were seen as helpful in making security decisions. This suggests that adding improvements to communication through CVSS-like questioning in issue tracking software can elicit better security interactions.
Original languageEnglish
Publication statusAccepted/In press - 12 Jun 2023
Event9th Workshop on Security Information Workers 2023 - Co-located Workshop at SOUPS 2023, Anaheim, United States
Duration: 6 Aug 20236 Aug 2023
https://devusec.de/2023-conference-wsiw/

Workshop

Workshop9th Workshop on Security Information Workers 2023
Abbreviated titleWSIW'23
Country/TerritoryUnited States
CityAnaheim
Period6/08/236/08/23
Internet address

Fingerprint

Dive into the research topics of 'Communicating on Security within Software Development Issue Tracking'. Together they form a unique fingerprint.

Cite this