An Exploratory Study on the Engineering of Security Features

TL;DR

This paper presents an exploratory empirical study on how software developers select, design, and maintain security features, providing insights into current practices and validating common assumptions in the field.

Contribution

It offers new empirical data on security feature engineering in practice, addressing a gap in understanding developer behaviors and challenges.

Findings

Developers face specific challenges in maintaining security features.

Security features are often selected based on library availability and project needs.

The study validates four common assumptions about security engineering practices.

Abstract

Software security is of utmost importance for most software systems. Developers must systematically select, plan, design, implement, and especially, maintain and evolve security features -- functionalities to mitigate attacks or protect personal data such as cryptography or access control -- to ensure the security of their software. Although security features are usually available in libraries, integrating security features requires writing and maintaining additional security-critical code. While there have been studies on the use of such libraries, surprisingly little is known about how developers engineer security features, how they select what security features to implement and which ones may require custom implementation, and the implications for maintenance. As a result, we currently rely on assumptions that are largely based on common sense or individual examples. However, to provide them with effective solutions, researchers need hard empirical data to understand what practitioners need and how they view security -- data that we currently lack. To fill this gap, we contribute an exploratory study with 26 knowledgeable industrial participants. We study how security features of software systems are selected and engineered in practice, what their code-level characteristics are, and what challenges practitioners face. Based on the empirical data gathered, we provide insights into engineering practices and validate four common assumptions.