Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Sharing of Vulnerability Information among Companies: A Survey of Swedish Companies
Blekinge Institute of Technology, Faculty of Computing, Department of Software Engineering. RISE Research Institutes of Sweden, SWE.
Dept. of Electrical and Information Technology, Lund .
Dept. of Computer Science, Lund.
Software and Systems Engineering Lab, RISE Research Institutes of Sweden, Kista.
Show others and affiliations
2019 (English)In: 45th Euromicro Conference on Software Engineering and Advanced Applications, Institute of Electrical and Electronics Engineers (IEEE), 2019, p. 284-291, article id 8906689Conference paper, Published paper (Refereed)
Abstract [en]

Software products are rarely developed from scratch and vulnerabilities in such products might reside in parts that are either open source software or provided by another organization. Hence, the total cybersecurity of a product often depends on cooperation, explicit or implicit, between several organizations. We study the attitudes and practices of companies in software ecosystems towards sharing vulnerability information. Furthermore, we compare these practices to contemporary cybersecurity recommendations. This is performed through a questionnaire-based qualitative survey. The questionnaire is divided into two parts: The providers' perspective and the acquirers' perspective. The results show that companies are willing to share information with each other regarding vulnerabilities. Sharing is not considered to be harmful neither to the cybersecurity nor their business, even though a majority of the respondents consider vulnerability information sensitive. However, the companies, despite being open to sharing, are less inclined to proactively sharing vulnerability information. Furthermore, the providers do not perceive that there is a large interest in vulnerability information from their customers. Hence, the companies' overall attitude to sharing vulnerability information is passive but open. In contrast, contemporary cybersecurity guidelines recommend active disclosure and sharing among actors in an ecosystem. 

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2019. p. 284-291, article id 8906689
Series
Proceedings of the EUROMICRO Conference, ISSN 1089-6503, E-ISSN 2376-9505
Keywords [en]
Open source software, Surveys, Cybersecurity, Vulnerabilities
National Category
Software Engineering
Research subject
Software Engineering
Identifiers
URN: urn:nbn:se:bth-21205DOI: 10.1109/SEAA.2019.00051ISBN: 9781728132853 (print)OAI: oai:DiVA.org:bth-21205DiVA, id: diva2:1535195
Conference
45th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2019, Kallithea, Chalkidiki, Greece, 28 August through 30 August
Funder
Vinnova, 2016-00603, 2018-03965Swedish Civil Contingencies Agency, 2015-6986Available from: 2021-03-08 Created: 2021-03-08 Last updated: 2023-04-03Bibliographically approved
In thesis
1. Understanding and Supporting Quality Requirements Engineering in Software-intensive Product Development
Open this publication in new window or tab >>Understanding and Supporting Quality Requirements Engineering in Software-intensive Product Development
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

[Background] Quality requirements deal with how well a product should perform the intended functionality. Failure to meet essential quality requirements can result in customer dissatisfaction, unusable products, or extra costs. [Objective] The aim is to identify challenges and needs in practice and design solutions for quality requirements engineering which can be applied in practice. [Results] In the two exploratory studies quality requirements engineering practices are investigated. I confirm that some quality requirements fulfillment is not simply being implemented or not, rather evaluated on a scale. Furthermore, some quality requirements are cross-functional. Also, the product lifecycle phase seems to influence both the prevalence and acceptance of quality requirements in the scope decision process. Lastly, relying on external stakeholders and upfront analysis seems to lead to long lead-times and an insufficient quality requirements scope. QREME is a conceptual quality requirements engineering model with a lifecycle perspective. It is built upon a construct with a strategic and tactical level, a product and data dimension to include data in the scope decision process, and a forward- and a feedback-loop to enable a data-driven scope decision process. QREME is validated with five companies in a multi-case study. QREME was able to capture the companies' ways of working and provide relevant improvement recommendations. Also, the presence of the underlying constructs was confirmed. [Conclusions] Quality requirements engineering should be integrated with the overall requirements process. The awareness of quality requirements on a strategic level and catering for the product and portfolio lifecycle are important for success. I conclude that there is potential in sources such as usage data, customer service data, and continuous experimentation to complement stakeholder analysis, expert input, and focus groups. However, there is a need to better understand challenges and needs in practice, especially from a lifecycle perspective. Furthermore, longitudinal studies are needed to evaluate quality requirements solutions over time -- to understand the impact, costs, and benefits.

Place, publisher, year, edition, pages
Karlskrona: Blekinge Tekniska Högskola, 2020. p. 258
Series
Blekinge Institute of Technology Doctoral Dissertation Series, ISSN 1653-2090 ; 8
Keywords
Quality requirements, Requirements engineering
National Category
Software Engineering
Research subject
Software Engineering
Identifiers
urn:nbn:se:bth-20248 (URN)978-91-7295-407-6 (ISBN)
Public defence
2020-09-25, 13:00
Supervisors
Available from: 2020-08-07 Created: 2020-08-07 Last updated: 2021-03-08Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full text

Authority records

Olsson, Thomas

Search in DiVA

By author/editor
Olsson, Thomas
By organisation
Department of Software Engineering
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 31 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf