The Current Practices of Changing Secure Software: An Empirical Study

Jamil, Ameerah Muhsina
ben Othmane, Lotfi
Valani, Altaz
Abdelkhalek, Moataz
Tek, Ayhan
Journal Title
Journal ISSN
Volume Title
Research Projects
Organizational Units
Journal Issue

Developers change the code of their software to add new features, fix bugs, or enhance its structure. Such frequent changes impact occasionally the security of the software. This paper reports a qualitative study of the practices of changing secure-software in the industry. The study involves interviews with eleven developers and security experts working on banking software, software for control systems, and software consultation companies. Through these interviews, we identified that the main security aspects are: dependency vulnerabilities, authentication and authorization, and OWASP 10 vulnerabilities. The common techniques used to assess software after code change are: code review, code analysis, testing, and keywords search. The main challenges that practitioners face are the diversity of the security issues and the lack of effectiveness of the security assurance tools in detecting vulnerabilities. The study suggests that developers of secure software need techniques that support effective security assurance of modified software.


This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Jamil, Ameerah Muhsinah, Lotfi ben Othmane, Altaz Valani, Moataz Abdelkhalek, and Ayhan Tek. “The Current Practices of Changing Secure Software.” The 35th ACM/SIGAPP Symposium On Applied Computing. Brno, Czech Republic, March 30-April 3, 2020. DOI: 10.1145/3341105.3373922. Posted with permission.