ben Othmane Lotfi - Empirical Research for Software Security

Empirical Research for Software Security

Foundations and Experience

CRC Series in Security, Privacy and Trust

SERIES EDITORS

AIMS AND SCOPE

This book series presents the advancements in research and technology development in the area of security, privacy, and trust in a systematic and comprehensive manner. The series will provide a reference for defining, reasoning and addressing the security and privacy risks and vulnerabilities in all the IT systems and applications, it will mainly include (but not limited to) aspects below:

Applied Cryptography, Key Management/Recovery, Data and Application Security and Privacy;

Biometrics, Authentication, Authorization, and Identity Management;

Cloud Security, Distributed Systems Security, Smart Grid Security, CPS and IoT Security;

Data Security, Web Security, Network Security, Mobile and Wireless Security;

Privacy Enhancing Technology, Privacy and Anonymity, Trusted and Trustworthy Computing;

Risk Evaluation and Security Certification, Critical Infrastructure Protection;

Security Protocols and Intelligence, Intrusion Detection and Prevention;

Multimedia Security, Software Security, System Security, Trust Model and Management;

Security, Privacy, and Trust in Cloud Environments, Mobile Systems, Social Networks, Peer-to-Peer Systems, Pervasive/Ubiquitous Computing, Data Outsourcing, and Crowdsourcing, etc.

PUBLISHED TITLES

Empirical Research for Software Security: Foundations and Experience

Lotfi ben Othmane, Martin Gilje Jaatun, Edgar Weippl

Intrusion Detection and Prevention for Mobile Ecosystems

Georgios Kambourakis, Asaf Shabtai, Constantinos Kolias, and Dimitrios Damopoulos

Touchless Fingerprint Biometrics

Ruggero Donida Labati, Vincenzo Piuri, and Fabio Scotti

Empirical Research for Software Security: Foundations and Experience

Lotfi ben Othmane, Martin Gilje Jaatun, and Edgar Weippl

Real-World Electronic Voting: Design, Analysis and Deployment

Feng Hao and Peter Y. A. Ryan

Protecting Mobile Networks and Devices: Challenges and Solutions

Weizhi Meng, Xiapu Luo, Steven Furnell, and Jianying Zhou

Location Privacy in Wireless Sensor Networks

Ruben Rios, Javier Lopez, and Jorge Cuellar

Empirical Research for Software Security

Foundations and Experience

Edited by Lotfi ben Othmane

Martin Gilje Jaatun Edgar Weippl

CRC Press

Taylor & Francis Group

6000 Broken Sound Parkway NW, Suite 300

Boca Raton, FL 33487-2742

2018 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

Version Date: 20171024

International Standard Book Number-13: 978-1-4987-7641-7 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com

and the CRC Press Web site at
http://www.crcpress.com

Contents

Koen Yskout, Kim Wuyts, Dimitri Van Landuyt, Riccardo Scandariato, and Wouter Joosen

Michael Felderer and Jeffrey C. Carver

Lotfi ben Othmane, Achim D. Brucker, Stanislav Dashevskyi, and Peter Tsalovski

Ren Nol, Santiago Matalonga, Gilberto Pedraza, Hernn Astudillo, and Eduardo B. Fernandez

Markus Wagner, Dominik Sacha, Alexander Rind, Fabian Fischer, Robert Luh, Sebastian Schrittwieser, Daniel A. Keim, and Wolfgang Aigner

Natalia Stakhanova and Alvaro A. Cardenas

Martin Gilje Jaatun

Sandra Domenique Ringmann and Hanno Langweg

Robert Bronte, Hossain Shahriar, and Hisham Haddad

Daniela S. Cruzes and Lotfi ben Othmane

The software security field has been plagued by accepted truths or self-evident statements that at their core are based on nothing more than that some guru at one point thought it sounded like a good idea. Consequently, these accepted truths have often proved to be of varying longevity, as fashion changes and new fads emerge. Empirical research allows to test theories in the real world, and to explore relationships, prove theoretical concepts, evaluate models, assess tools and techniques, and establish quality benchmarks across organizations. The methods for doing such research have been used in several areas, such as social sciences, education, and software engineering. These methods are currently being used to investigate software security challenges and mature the subject.

The purpose of this book is to introduce students, practitioners and researchers to the use of empirical methods in software security research. It explains different methods of both primary and secondary empirical research, ranging from surveys and experiments to systematic literature mapping, and provides practical examples.

Rather than a complete textbook on empirical research, this book is intended as a reference work that both explains research methods and shows how software security researchers use empirical methods in their work. With some chapters structured as step-by-step instructions for empirical research and others presenting results of said research, we hope this book will be interesting to a wide range of readers.

In the first chapter, Koen Yskout et al. offer a primer on empirical research in the area of security and privacy by design, explaining what to expect and what not to expect as researcher or reviewer. They address the frequent lack of empirical research on new methods or techniques in the early stages of security and privacy design. Their experience-led chapter discusses how to design and perform controlled experiments and descriptive studies in this domain. It contrasts the methods typically applied by beginning and more experienced researchers with those frequently expected by reviewers, and strikes a balance between scientific rigor and pragmatism dictated by the realities of research.