Abstract
During software development, balancing security and non security issues is challenging. We focus on security awareness and approaches taken by non-security experts using software development issue trackers when considering security. We first analyse interfaces from prominent issue trackers to see how they support security communication and how they integrate security scoring. Then, we investigate through a small scale user study what criteria developers take when prioritising issues, in particular observing their attitudes to security.
We find projects make reference to CVSS summaries (Common Vulnerability Scoring System), often alongside CVE reports (Common Vulnerabilities and Exposures), but issue trackers do not often have interfaces designed for this. Users in our study were not comfortable with CVSS analysis, though were able to reason in a manner compatible with CVSS. Detailed explanations and advice were seen as helpful in making security decisions. This suggests that adding improvements to communication through CVSS-like questioning in issue tracking software can elicit better security interactions.
We find projects make reference to CVSS summaries (Common Vulnerability Scoring System), often alongside CVE reports (Common Vulnerabilities and Exposures), but issue trackers do not often have interfaces designed for this. Users in our study were not comfortable with CVSS analysis, though were able to reason in a manner compatible with CVSS. Detailed explanations and advice were seen as helpful in making security decisions. This suggests that adding improvements to communication through CVSS-like questioning in issue tracking software can elicit better security interactions.
Original language | English |
---|---|
Publication status | Accepted/In press - 12 Jun 2023 |
Event | 9th Workshop on Security Information Workers 2023 - Co-located Workshop at SOUPS 2023, Anaheim, United States Duration: 6 Aug 2023 → 6 Aug 2023 https://devusec.de/2023-conference-wsiw/ |
Workshop
Workshop | 9th Workshop on Security Information Workers 2023 |
---|---|
Abbreviated title | WSIW'23 |
Country/Territory | United States |
City | Anaheim |
Period | 6/08/23 → 6/08/23 |
Internet address |