@inproceedings{53811,
  abstract     = {{Persistent security challenges plague DevOps teams due to a deficiency in expertise regarding security tools and methods, as evidenced by frequent security incidents. Existing maturity models fail to adequately address the specific needs of DevOps teams. In response, this paper proposes "Security Belts," a novel maturity model inspired by martial arts ranking systems. This model aims to assist DevOps teams in enhancing their security capabilities by providing a structured approach, starting with fundamental activities and progressing to more advanced techniques. Drawing from the experiences of monitoring 21 teams, the paper presents lessons learned and offers actionable advice for refining maturity models tailored to software quality improvement.}},
  author       = {{Taaibi, Samira and Dziwok, Stefan and Hermerschmidt, Lars and Koch, Thorsten and Merschjohann, Sven and Vollmary, Mark}},
  keywords     = {{Software security, maturity model}},
  location     = {{Salt Lake City}},
  title        = {{{Security Belts: A Maturity Model for DevOps Teams to Increase the Software Security of their Product - An Experience Report}}},
  year         = {{2024}},
}

@inproceedings{43395,
  author       = {{Trentinaglia, Roman and Merschjohann, Sven and Fockel, Markus and Eikerling, Hendrik}},
  booktitle    = {{REFSQ 2023: Requirements Engineering: Foundation for Software Quality}},
  isbn         = {{9783031297854}},
  issn         = {{0302-9743}},
  publisher    = {{Springer Nature Switzerland}},
  title        = {{{Eliciting Security Requirements – An Experience Report}}},
  doi          = {{10.1007/978-3-031-29786-1_25}},
  year         = {{2023}},
}

@inproceedings{33837,
  author       = {{Piskachev, Goran and Dziwok, Stefan and Koch, Thorsten and Merschjohann, Sven and Bodden, Eric}},
  title        = {{{How far are German companies in improving security through static program analysis tools?}}},
  year         = {{2022}},
}

@unpublished{23534,
  abstract     = {{In recent years, the World Economic Forum has identified software security as
the most significant technological risk to the world's population, as
software-intensive systems process critical data and provide critical services.
This raises the question of the extent to which German companies are addressing
software security in developing and operating their software products. This
paper reports on the results of an extensive study among developers, product
owners, and managers to answer this question. Our results show that ensuring
security is a multi-faceted challenge for companies, involving low awareness,
inaccurate self-assessment, and a lack of competence on the topic of secure
software development among all stakeholders. The current situation in software
development is therefore detrimental to the security of software products in
the medium and long term.}},
  author       = {{Dziwok, Stefan and Koch, Thorsten and Merschjohann, Sven and Budweg, Boris and Leuer, Sebastian}},
  booktitle    = {{arXiv:2108.11752}},
  title        = {{{AppSecure.nrw Software Security Study}}},
  year         = {{2021}},
}

@inproceedings{22805,
  author       = {{Fockel, Markus and Merschjohann, Sven and Fazal-Baqaie, Masud and Förder, Torsten and Hausmann, Stefan and Waldeck, Boris}},
  booktitle    = {{European System, Software & Service Process Improvement & Innovation Conference (EuroSPI 2019)}},
  issn         = {{1865-0929}},
  location     = {{Edinburgh, UK}},
  title        = {{{Designing and Integrating IEC 62443 Compliant Threat Analysis}}},
  doi          = {{10.1007/978-3-030-28005-5_5}},
  volume       = {{1060}},
  year         = {{2019}},
}

@inproceedings{21929,
  author       = {{Altemeier, Katharina and Becker, Matthias and Dziwok, Stefan and Koch, Thorsten and Merschjohann, Sven}},
  booktitle    = {{Projektmanagement und Vorgehensmodelle 2019 (PVM 2019)}},
  editor       = {{Mikusz, Martin}},
  publisher    = {{Gesellschaft für Informatik e.V.}},
  title        = {{{Was fehlt (bisher) um Apps sicher zu entwickeln? - Prozesse, Werkzeuge und Schulungen für sichere Apps by Design}}},
  year         = {{2019}},
}

@inproceedings{20780,
  abstract     = {{With the growing number of incidents, the topic security gains more and more attention across all domains. Organizations realize their lack of state-of-the-art security practices, however, they struggle to improve their software lifecycle in terms of security. In this talk, we introduce the concept of security by design that implements security practices within the whole software lifecycle. Based on our practical experience from industry projects in the regulated industrial automation and unregulated classical IT domain, we explain how to perform a threat analysis and how to integrate it into the software lifecycle.}},
  author       = {{Fockel, Markus and Merschjohann, Sven and Fazal-Baqaie, Masud}},
  booktitle    = {{19th International Conference on Product-Focused Software Process Improvement (PROFES 2018)}},
  publisher    = {{Springer Nature Switzerland AG}},
  title        = {{{Threat Analysis in Practice - Systematically Deriving Security Requirements}}},
  doi          = {{10.1007/978-3-030-03673-7_25}},
  year         = {{2018}},
}