Tracing and Explaining Security in Software Engineering

Software is often unnecessarily insecure. While developers tend to be aware of security issues in highly sensitive domains, many software developers are not sufficiently familiar with how to handle security.

There are several core issues that build on each other and should be addressed consistently:

1. During development, security-related artifacts must be integrated into the development process.

2. Development flaws can cause security problems in use. Problem Analysis should identify causes of security problems rooted in development.

3. Developers should learn continuously from development considerations and problem analysis to prevent future incidents and improve security.

Research Vision: Quality models are used to organize security-related information on several levels of detail. Tracing of security-related activities with artifacts and with the quality model will address all three core challenges at a time: development, problem analysis, and learning. We envision software organizations to create traces related to security, compare and reuse them via soft matching and intelligent operations. Automated support and human judgment will join forces and make TraceSEC a truly socio-technical approach. TraceSEC introduces a special kind of socio-technical explainability of security-related activities.