Campus Units

Electrical and Computer Engineering

Document Type

Conference Proceeding


The 35th ACM/SIGAPP Symposium On Applied Computing

Publication Version

Accepted Manuscript

Link to Published Version

Publication Date


Journal or Book Title

The 35th ACM/SIGAPP Symposium On Applied Computing



Conference Title

The 35th ACM/SIGAPP Symposium On Applied Computing

Conference Date

March 30-April 3, 2020


Brno, Czech Republic


Developers change the code of their software to add new features, fix bugs, or enhance its structure. Such frequent changes impact occasionally the security of the software. This paper reports a qualitative study of the practices of changing secure-software in the industry. The study involves interviews with eleven developers and security experts working on banking software, software for control systems, and software consultation companies. Through these interviews, we identified that the main security aspects are: dependency vulnerabilities, authentication and authorization, and OWASP 10 vulnerabilities. The common techniques used to assess software after code change are: code review, code analysis, testing, and keywords search. The main challenges that practitioners face are the diversity of the security issues and the lack of effectiveness of the security assurance tools in detecting vulnerabilities. The study suggests that developers of secure software need techniques that support effective security assurance of modified software.


This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Jamil, Ameerah Muhsinah, Lotfi ben Othmane, Altaz Valani, Moataz Abdelkhalek, and Ayhan Tek. “The Current Practices of Changing Secure Software.” The 35th ACM/SIGAPP Symposium On Applied Computing. Brno, Czech Republic, March 30-April 3, 2020. DOI: 10.1145/3341105.3373922. Posted with permission.

Copyright Owner

The Authors



File Format


Published Version


Article Location