Moderator Factors of Software Security and Performance Verification

TL;DR

This paper identifies key organizational and methodological factors that influence the effectiveness of security and performance verification in software development, providing actionable insights to improve verification practices.

Contribution

It presents a set of eight S&P moderator factors through qualitative case studies, literature review, and practitioner surveys, offering a comprehensive understanding of influences on verification activities.

Findings

Eight S&P moderator factors identified

Literature review confirmed the factors

Practitioner survey classified relevance of factors

Abstract

Context: Security and performance (S&P) are critical non-functional requirements on software systems. Therefore, verification activities should be included in the development process to identify related defects and avoiding S&P failures after deployment. However, the state of the practice of S&P verification is unclear, challenging academia to offer solutions for real-world problems faced by the S&P verification practitioners. Thus, identifying factors moderating the S&P verification helps software development organizations improve the S&P verification, releasing software that meets security and performance requirements. Objective: To present moderator factors influencing S&P verification activities and actions to promote S&P moderator factors. Method: Multiple case study using qualitative analysis of observational data to identify S&P moderators factors. Literature Rapid Reviews with Snowballing to strengthen confidence in the identified S&P moderators factors. Practitioners Survey to classify the S&P moderator factors regarding their relevance. Results: Identification of eight S&P moderator factors regarding organizational awareness, crossfunctional team, S&P requirements, support tools, verification environment, verification methodology, verification planning, and reuse practices. The literature reviews allowed us to confirm the identified S&P moderator factors and identify a set of actions to promote each of them. A survey with 37 valid participants allowed us to classify the identified S&P moderators factors and their actions relevant to S&P verification activities. Conclusions: The S&P moderator factors can be considered key points in which software development organizations should invest to implement or improve S&P verification activities.