Write a Blog >>
ICSE 2023
Sun 14 - Sat 20 May 2023 Melbourne, Australia
Fri 19 May 2023 11:45 - 12:00 at Meeting Room 105 - Software processes Chair(s): Rashina Hoda

Due to the ever-increasing security breaches, practitioners are motivated to produce more secure software. In the United States, the White House Office released a memorandum on Executive Order (EO) 14028 that mandates organizations provide self-attestation of the use of secure software development practices. The OpenSSF Scorecard project allows practitioners to measure the use of software security practices automatically. However, little research has been done to determine whether the use of security practices improves package security, particularly which security practices have the biggest impact on security outcomes. The goal of this study is to assist practitioners and researchers making informed decisions on which security practices to adopt through the development of models between software security practice scores and security vulnerability counts.

To that end, we developed five supervised machine learning models for npm and PyPI packages using the OpenSSF Scorecared security practices scores and aggregate security scores as predictors and the number of externally-reported vulnerabilities as a target variable. Our models found four security practices (Maintained, Code Review, Branch Protection, and Security Policy) were the most important practices influencing vulnerability count. However, we had low R^2 (ranging from 9% to 12%) when we tested the models to predict vulnerability counts. Additionally, we observed that the number of reported vulnerabilities increased rather than reduced as the aggregate security score of the packages increased. Both findings indicate that additional factors may influence the package vulnerability count. We suggest that vulnerability count and security score data be refined such that these measures may be used to provide actionable guidance on security practices.

Fri 19 May

Displayed time zone: Hobart change

11:00 - 12:30
11:00
15m
Talk
A Theory of Scrum Team Effectiveness
Journal-First Papers
Christiaan Verwijs The Liberators, Daniel Russo Department of Computer Science, Aalborg University
Link to publication DOI
11:15
15m
Talk
Sustainability is Stratified: Toward a Better Theory of Sustainable Software Engineering
Technical Track
Erin Schultz Dalhousie University, Sean McGuire Dalhousie University, Bimpe Ayoola Dalhousie University, Paul Ralph Dalhousie University
Pre-print
11:30
15m
Talk
Overcoming Challenges in DevOps Education through Teaching Methods
SEET - Software Engineering Education and Training
Samuel Ferino Federal University of Rio Grande do Norte, Marcelo Fernandes Federal Institute of Rio Grande do Norte, Elder Cirilo Federal University of São João del Rei, Lucas Agnez Federal University of Rio Grande do Norte, Bruno Batista Federal University of Rio Grande do Norte, Uirá Kulesza Federal University of Rio Grande do Norte, Eduardo Aranha Federal University of Rio Grande do Norte, Christoph Treude University of Melbourne
Pre-print
11:45
15m
Talk
Do Software Security Practices Yield Fewer Vulnerabilities?
SEIP - Software Engineering in Practice
Nusrat Zahan North Carolina State University, Shohanuzzaman Shohan , Dan Harris , Laurie Williams North Carolina State University
Pre-print
12:00
15m
Talk
A/B Integrations: 7 Lessons Learned from Enabling A/B testing as a Product Feature
SEIP - Software Engineering in Practice
12:15
7m
Talk
Towards Supporting Emotion Awareness in Retrospective Meetings
NIER - New Ideas and Emerging Results
Daniela Grassi, Filippo Lanubile University of Bari, Nicole Novielli University of Bari, Alexander Serebrenik Eindhoven University of Technology
Pre-print
12:22
7m
Talk
Test-Driven Development Benefits Beyond Design Quality: Flow State and Developer Experience
NIER - New Ideas and Emerging Results
Pedro Calais Stone Co., Lissa Franzini Stone Co.