The second paper resulting from our collaboration with SAP on developing models for estimating the time to fix security issues is published by the Data Science and Engineering journal, Springer. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process, and we show how the issue fix time could be used to monitor the fixing process. The work shows that the time it takes to fix an issue seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. The models could be used to implement a continuous improvement of the secure software development processes and to measure the impact of individual improvements. The paper is published as open source and is available here.
Cross-posted from Secure Software Engineering