Applied Sciences (Jun 2023)

Security Monitoring during Software Development: An Industrial Case Study

  • Miltiadis Siavvas,
  • Dimitrios Tsoukalas,
  • Ilias Kalouptsoglou,
  • Evdoxia Manganopoulou,
  • Georgios Manolis,
  • Dionysios Kehagias,
  • Dimitrios Tzovaras

DOI
https://doi.org/10.3390/app13126872
Journal volume & issue
Vol. 13, no. 12
p. 6872

Abstract

Read online

The devastating consequences of successful security breaches that have been observed recently have forced more and more software development enterprises to shift their focus towards building software products that are highly secure (i.e., vulnerability-free) from the ground up. In order to produce secure software applications, appropriate mechanisms are required for enabling project managers and developers to monitor the security level of their products during their development and identify and eliminate vulnerabilities prior to their release. A large number of such mechanisms have been proposed in the literature over the years, but limited attempts with respect to their industrial applicability, relevance, and practicality can be found. To this end, in the present paper, we demonstrate an integrated security platform, the VM4SEC platform, which exhibits cutting-edge solutions for software security monitoring and optimization, based on static and textual source code analysis. The platform was built in a way to satisfy the actual security needs of a real software development company. For this purpose, an industrial case study was conducted in order to identify the current security state of the company and its security needs in order for the employed security mechanisms to be adapted to the specific needs of the company. Based on this analysis, the overall architecture of the platform and the parameters of the selected models and mechanisms were properly defined and demonstrated in the present paper. The purpose of this paper is to showcase how cutting-edge security monitoring and optimization mechanisms can be adapted to the needs of a dedicated company and to be used as a blueprint for constructing similar security monitoring platforms and pipelines.

Keywords