The development of secure software systems is an increasingly important research topic in software engineering. Several authors have proposed methods, techniques and tools to software development practices in order to identify and/or mitigate security threats. These methods and techniques are based in traditional software engineering artifacts, such as Use Cases, Activity Diagrams and Domain Models. However, the lack of scientific evidence of the quality or efficiency of these methods, leads us to question if this approach is necessary for software security experts. This article proposes an experimental approach to explore if software development artifacts are relevant when making security decisions in software development, and how are they used. We have designed a survey in order to ask these questions to software security and architecture experts. We used the Constant Comparison Method in order to find emerging security theories about software artifacts, grounded in the answers of the experts. Our results add experimental evidence into the use and usefullness of software development artifacts in helping to reduce security vulnerabilities in practice, from the experts point of view. Our results add experimental evidence into the use and usefulness of software development artifacts to evaluate the security from the point of view of the experts. Our evidence suggests that not all software artifacts are equally useful in the design of secure architectures , considering the "Use Cases" and "Class Diagrams" as the most useful artifacts according to our respondents. Also, our evidence suggest that experts do not agree in the importance of analyzing security concerns through the whole software life cycle, nor in the abstraction level required for this task.
|Title of host publication||34th International Conference of the Chilean Computer Science Society (SCCC), 2015|
|ISBN (Electronic)||978-1-4673-9817-6, 978-1-4673-9816-9|
|Publication status||Published - 2015|
- Software Architecture
- Software Engineering
- Empirical Software Engineering