Keywords:  Security Engineering and Design,


A Comprehensive Investigation of Developers’ Remediation Practices

Noura Alomar, PhD Student, International Computer Science Institute, UC Berkeley
Primal Wijesekera, Staff Research Scientist, International Computer Science Institute, UC Berkeley

Security vulnerabilities pose a grave danger to the integrity of any system because they can undermine almost any protection mechanism organizations put in place to defend themselves against potential attacks. As such, finding vulnerabilities before the software gets deployed or after putting software in production is a critical task in the software development lifecycle. However, not having robust vulnerability remediation processes tailored to addressing identified vulnerabilities might leave organizations vulnerable to attacks that have already been uncovered as part of their vulnerability detection activities. In a previous CLTC-funded project, “Hackers vs. Testers: Understanding Software Vulnerability Discovery Processes,” that focused on obtaining an improved understanding of organizations’ vulnerability management processes, one of our key findings was that organizations struggle with vulnerability remediation. We plan to continue this line of work by conducting a qualitative study that focuses on vulnerability remediation processes followed by organizations. We also want to understand the remediation processes after organizations are notified of privacy-related issues. We believe remediating privacy issues carry equal importance to security issues, and must be addressed to make the app ecosystem a safe place. There is a rich literature on finding privacy violations and understanding how users perceive privacy, especially in the mobile ecosystem. However, the literature on how to help developers make their code compliant with privacy regulations is sparse. We believe that given the rising emphasis on privacy regulations and compliance, it is imperative to understand how developers react and remediate privacy violations to comply with new privacy regulations.