Developing secure software requires the integration of numerous methods and tools into the development process, and software design is based on shared expert knowledge, claims, and opinions. Empirical methods, including data analytics, allow extracting knowledge and insights from the data that organizations collect from their processes and tools, and from the opinions of the experts who practice these processes and methods. This book introduces the reader to the fundamentals of empirical research methods, and demonstrates how these methods can be used to hone a secure software development lifecycle based on empirical data and published best practices.
| Preface |
|
ix | |
|
|
|
xiii | |
|
|
|
xv | |
| Contributors |
|
xix | |
|
1 Empirical Research on Security and Privacy by Design |
|
|
1 | (46) |
|
|
|
|
|
|
|
|
|
|
|
|
|
2 | (3) |
|
1.2 Empirical Research on Security and Privacy by Design |
|
|
5 | (4) |
|
|
|
9 | (3) |
|
|
|
12 | (18) |
|
|
|
30 | (5) |
|
1.6 Analysis and Interpretation |
|
|
35 | (6) |
|
1.7 Presentation and Packaging |
|
|
41 | (2) |
|
|
|
43 | (4) |
|
2 Guidelines for Systematic Mapping Studies in Security Engineering |
|
|
47 | (22) |
|
|
|
|
|
|
|
48 | (1) |
|
2.2 Background on Systematic Mapping Studies in Software Engineering |
|
|
49 | (6) |
|
2.3 Overview of Available Mapping Studies in Security Engineering |
|
|
55 | (2) |
|
2.4 Guidelines for Systematic Mapping Studies in Security Engineering |
|
|
57 | (8) |
|
|
|
65 | (4) |
|
3 An Introduction to Data Analytics for Software Security |
|
|
69 | (26) |
|
|
|
|
|
|
|
|
|
|
|
70 | (1) |
|
3.2 Secure Software Development |
|
|
71 | (3) |
|
3.3 Software Security Analytical Process |
|
|
74 | (8) |
|
3.4 Learning Methods Used in Software Security |
|
|
82 | (4) |
|
3.5 Evaluation of Model Performance |
|
|
86 | (3) |
|
|
|
89 | (1) |
|
|
|
89 | (1) |
|
|
|
90 | (5) |
|
4 Generating Software Security Knowledge Through Empirical Methods |
|
|
95 | (44) |
|
|
|
|
|
|
|
|
|
|
|
4.1 Introduction and Motivation |
|
|
96 | (1) |
|
4.2 Empirical Methods for Knowledge Generation |
|
|
97 | (2) |
|
4.3 Example Application Domain: Secure Software Development Research Project |
|
|
99 | (1) |
|
|
|
100 | (12) |
|
4.5 Systematic Literature Mappings |
|
|
112 | (10) |
|
|
|
122 | (6) |
|
4.7 Experimental Replications |
|
|
128 | (4) |
|
|
|
132 | (2) |
|
|
|
134 | (5) |
|
5 Visual Analytics: Foundations and Experiences in Malware Analysis |
|
|
139 | (34) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
140 | (1) |
|
5.2 Background in Malware Analysis |
|
|
140 | (3) |
|
5.3 Visual Analytics Foundations |
|
|
143 | (7) |
|
5.4 The Knowledge Generation Process |
|
|
150 | (2) |
|
5.5 Design and Evaluation for Visual Analytics Systems |
|
|
152 | (2) |
|
5.6 Experience in Malware Analysis |
|
|
154 | (7) |
|
|
|
161 | (3) |
|
|
|
164 | (9) |
|
6 Analysis of Metrics for Classification Accuracy in Intrusion Detection |
|
|
173 | (28) |
|
|
|
|
|
|
|
174 | (1) |
|
|
|
175 | (10) |
|
|
|
185 | (6) |
|
6.4 What Hinders Adoption of Alternative Metrics |
|
|
191 | (3) |
|
6.5 Guidelines for Introducing New Evaluation Metrics |
|
|
194 | (1) |
|
|
|
195 | (1) |
|
|
|
196 | (5) |
|
7 The Building Security in Maturity Model as a Research Tool |
|
|
201 | (8) |
|
|
|
|
|
201 | (1) |
|
|
|
202 | (1) |
|
7.3 Questionnaires in Software Security |
|
|
202 | (2) |
|
|
|
204 | (1) |
|
|
|
205 | (2) |
|
|
|
207 | (2) |
|
8 Agile Test Automation for Web Applications --- A Security Perspective |
|
|
209 | (40) |
|
Sandra Domenique Ringmann |
|
|
|
|
|
|
210 | (1) |
|
|
|
211 | (1) |
|
|
|
212 | (5) |
|
8.4 Testing and Test Automation from the Security Perspective |
|
|
217 | (5) |
|
8.5 Static Analysis Tools |
|
|
222 | (7) |
|
8.6 Dynamic Analysis Tools and Frameworks |
|
|
229 | (9) |
|
8.7 Evaluating Static/Dynamic Analysis Tools and Frameworks |
|
|
238 | (1) |
|
8.8 Appraisal of the Tools |
|
|
239 | (1) |
|
|
|
240 | (9) |
|
9 Benchmark for Empirical Evaluation of Web Application Anomaly Detectors |
|
|
249 | (26) |
|
|
|
|
|
|
|
|
|
250 | (1) |
|
|
|
251 | (5) |
|
9.3 Benchmark Characteristics for Application-Layer Attack Detection Approaches |
|
|
256 | (5) |
|
9.4 An Example Environment for Generating Benchmark Data |
|
|
261 | (4) |
|
9.5 Using the Benchmark Dataset to Evaluate an IDS |
|
|
265 | (6) |
|
|
|
271 | (4) |
|
10 Threats to Validity in Empirical Software Security Research |
|
|
275 | (26) |
|
|
|
|
|
|
|
276 | (1) |
|
|
|
277 | (1) |
|
10.3 Validity for Quantitative Research |
|
|
278 | (11) |
|
10.4 Threats to Validity for Qualitative Research |
|
|
289 | (8) |
|
10.5 Summary and Conclusions |
|
|
297 | (4) |
| Index |
|
301 | |
Dr. Lotfi ben Othmane is on the faculty at the Department of Electrical and Computer Engineering, Iowa State University, USA. Previously, he was a Research Scientist and then Head of the Secure Software Engineering department at Fraunhofer SIT, Germany. Lotfi received his Ph.D. from Western Michigan University (WMU), USA, in 2010; the M.S. in computer science from University of Sherbrooke, Canada, in 2000; and the B.S in information systems from University of Sfax, Tunisia, in 1995. He works currently on software security, specifically on (1) the application of empirical methods to address software security challenges and (2) the impact of incremental development on the security of software.
Dr. Martin Gilje Jaatun is a Senior Scientist at SINTEF ICT, where he has been employed since 2004. He received his Sivilingeniųr degree in Telematics from the Norwegian Institute of Technology (NTH) in 1992, and the Dr.Philos. degree from the University of Stavanger in 2015. Previous positions include scientist at the Norwegian Defence Research Establishment (FFI), and Senior Lecturer in information security at the Bodų Graduate School of Business. His research interests include software security, security in cloud computing, and security of critical information infrastructures. Dr. Jaatun is an associate editor of the International Journal of Secure Software engineering. He is vice chairman of the Cloud Computing Association (cloudcom.org), vice chairman of Cloud Security Alliance Norway, and a Senior Member of the IEEE.
Dr. Edgar Weippl is Research Director of SBA Research and Associate Professor at the Vienna University of Technology. His research focuses on applied concepts of IT security. He has published numerous articles in journals and more than 100 papers in peer-reviewed conferences. After graduating with a Ph.D. from the Vienna University of Technology, he worked in a research startup for two years. He then spent one year teaching as an assistant professor at Beloit College, WI. From 2002 to 2004, he was a Consultant for a Health Maintenance Organization (HMO) in New York and Albany, NY, and for Deutsche Bank, Frankfurt, Germany. In 2004 he joined the Vienna University of Technology and co-founded SBA Research. Dr. Weippl has edited a large number of special issues in journals such as Information Security Technical Report and Computers & Security.
Biežāk uzdotie jautājumi par e-grāmatām