---
res:
  bibo_abstract:
  - Finding and fixing software vulnerabilities have become a major struggle for most
    software development companies. While generally without alternative, such fixing
    efforts are a major cost factor, which is why companies have a vital interest
    in focusing their secure software development activities such that they obtain
    an optimal return on this investment. We investigate, in this paper, quantitatively
    the major factors that impact the time it takes to fix a given security issue
    based on data collected automatically within SAP's secure development process,
    and we show how the issue fix time could be used to monitor the fixing process.
    We use three machine learning methods and evaluate their predictive power in predicting
    the time to fix issues. Interestingly, the models indicate that vulnerability
    type has less dominant impact on issue fix time than previously believed. The
    time it takes to fix an issue instead seems much more related to the component
    in which the potential vulnerability resides, the project related to the issue,
    the development groups that address the issue, and the closeness of the software
    release date. This indicates that the software structure, the fixing processes,
    and the development groups are the dominant factors that impact the time spent
    to address security issues. SAP can use the models to implement a continuous improvement
    of its secure software development process and to measure the impact of individual
    improvements. The development teams at SAP develop different types of software,
    adopt different internal development processes, use different programming languages
    and platforms, and are located in different cities and countries. Other organizations,
    may use the results---with precaution---and be learning organizations.@eng
  bibo_authorlist:
  - foaf_Person:
      foaf_givenName: Lotfi
      foaf_name: Ben Othmane, Lotfi
      foaf_surname: Ben Othmane
  - foaf_Person:
      foaf_givenName: Golriz
      foaf_name: Chehrazi, Golriz
      foaf_surname: Chehrazi
  - foaf_Person:
      foaf_givenName: Eric
      foaf_name: Bodden, Eric
      foaf_surname: Bodden
      foaf_workInfoHomepage: http://www.librecat.org/personId=59256
    orcid: 0000-0003-3470-3647
  - foaf_Person:
      foaf_givenName: Petar
      foaf_name: Tsalovski, Petar
      foaf_surname: Tsalovski
  - foaf_Person:
      foaf_givenName: Achim D.
      foaf_name: Brucker, Achim D.
      foaf_surname: Brucker
  bibo_doi: https://doi.org/10.1007/s41019-016-0019-8
  bibo_issue: '2'
  bibo_volume: 2
  dct_date: 2017^xs_gYear
  dct_isPartOf:
  - http://id.crossref.org/issn/2364-1541
  dct_language: eng
  dct_title: 'Time for Addressing Software Security Issues: Prediction Models and
    Impacting Factors@'
...