---
_id: '20553'
abstract:
- lang: eng
  text: Finding and fixing software vulnerabilities have become a major struggle for
    most software development companies. While generally without alternative, such
    fixing efforts are a major cost factor, which is why companies have a vital interest
    in focusing their secure software development activities such that they obtain
    an optimal return on this investment. We investigate, in this paper, quantitatively
    the major factors that impact the time it takes to fix a given security issue
    based on data collected automatically within SAP's secure development process,
    and we show how the issue fix time could be used to monitor the fixing process.
    We use three machine learning methods and evaluate their predictive power in predicting
    the time to fix issues. Interestingly, the models indicate that vulnerability
    type has less dominant impact on issue fix time than previously believed. The
    time it takes to fix an issue instead seems much more related to the component
    in which the potential vulnerability resides, the project related to the issue,
    the development groups that address the issue, and the closeness of the software
    release date. This indicates that the software structure, the fixing processes,
    and the development groups are the dominant factors that impact the time spent
    to address security issues. SAP can use the models to implement a continuous improvement
    of its secure software development process and to measure the impact of individual
    improvements. The development teams at SAP develop different types of software,
    adopt different internal development processes, use different programming languages
    and platforms, and are located in different cities and countries. Other organizations,
    may use the results---with precaution---and be learning organizations.
author:
- first_name: Lotfi
  full_name: Ben Othmane, Lotfi
  last_name: Ben Othmane
- first_name: Golriz
  full_name: Chehrazi, Golriz
  last_name: Chehrazi
- first_name: Eric
  full_name: Bodden, Eric
  id: '59256'
  last_name: Bodden
  orcid: 0000-0003-3470-3647
- first_name: Petar
  full_name: Tsalovski, Petar
  last_name: Tsalovski
- first_name: Achim D.
  full_name: Brucker, Achim D.
  last_name: Brucker
citation:
  ama: 'Ben Othmane L, Chehrazi G, Bodden E, Tsalovski P, Brucker AD. Time for Addressing
    Software Security Issues: Prediction Models and Impacting Factors. <i>Data Science
    and Engineering</i>. 2017;2(2):107-124. doi:<a href="https://doi.org/10.1007/s41019-016-0019-8">https://doi.org/10.1007/s41019-016-0019-8</a>'
  apa: 'Ben Othmane, L., Chehrazi, G., Bodden, E., Tsalovski, P., &#38; Brucker, A.
    D. (2017). Time for Addressing Software Security Issues: Prediction Models and
    Impacting Factors. <i>Data Science and Engineering</i>, <i>2</i>(2), 107–124.
    <a href="https://doi.org/10.1007/s41019-016-0019-8">https://doi.org/10.1007/s41019-016-0019-8</a>'
  bibtex: '@article{Ben Othmane_Chehrazi_Bodden_Tsalovski_Brucker_2017, title={Time
    for Addressing Software Security Issues: Prediction Models and Impacting Factors},
    volume={2}, DOI={<a href="https://doi.org/10.1007/s41019-016-0019-8">https://doi.org/10.1007/s41019-016-0019-8</a>},
    number={2}, journal={Data Science and Engineering}, author={Ben Othmane, Lotfi
    and Chehrazi, Golriz and Bodden, Eric and Tsalovski, Petar and Brucker, Achim
    D.}, year={2017}, pages={107–124} }'
  chicago: 'Ben Othmane, Lotfi, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, and
    Achim D. Brucker. “Time for Addressing Software Security Issues: Prediction Models
    and Impacting Factors.” <i>Data Science and Engineering</i> 2, no. 2 (2017): 107–24.
    <a href="https://doi.org/10.1007/s41019-016-0019-8">https://doi.org/10.1007/s41019-016-0019-8</a>.'
  ieee: 'L. Ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, and A. D. Brucker,
    “Time for Addressing Software Security Issues: Prediction Models and Impacting
    Factors,” <i>Data Science and Engineering</i>, vol. 2, no. 2, pp. 107–124, 2017,
    doi: <a href="https://doi.org/10.1007/s41019-016-0019-8">https://doi.org/10.1007/s41019-016-0019-8</a>.'
  mla: 'Ben Othmane, Lotfi, et al. “Time for Addressing Software Security Issues:
    Prediction Models and Impacting Factors.” <i>Data Science and Engineering</i>,
    vol. 2, no. 2, 2017, pp. 107–24, doi:<a href="https://doi.org/10.1007/s41019-016-0019-8">https://doi.org/10.1007/s41019-016-0019-8</a>.'
  short: L. Ben Othmane, G. Chehrazi, E. Bodden, P. Tsalovski, A.D. Brucker, Data
    Science and Engineering 2 (2017) 107–124.
date_created: 2020-11-30T10:24:50Z
date_updated: 2022-01-06T06:54:29Z
department:
- _id: '76'
doi: https://doi.org/10.1007/s41019-016-0019-8
intvolume: '         2'
issue: '2'
language:
- iso: eng
page: 107-124
publication: Data Science and Engineering
publication_identifier:
  issn:
  - 2364-1541
related_material:
  link:
  - relation: confirmation
    url: http://bodden.de/pubs/bcb17time.pdf
status: public
title: 'Time for Addressing Software Security Issues: Prediction Models and Impacting
  Factors'
type: journal_article
user_id: '5786'
volume: 2
year: '2017'
...