Abstract

The development of software has turned into one of the central activities for industrial companies over the last decades. With almost every industrial product across all industry sectors containing or entirely consisting of software, its secure and efficient development became crucial in practice. In particular, the assessment of software products for security shortcomings or vulnerabilities, plays a vital role during the secure software development lifecycle in industry. Similar to these checks, the management of security findings resulting from them is equally indispensable and required by multiple standards, guidelines and norms. With new trends and processes in the software engineering domain, including concepts like Agile Software Development or DevOps, industrial software engineering evolved from traditional concepts to modern software development approaches. However, this not only affects the software engineering itself, but also all security activities performed as part of the software development lifecycle. While areas like security testing already adapted to this shift by applying, e.g., automated security checks during all lifecycle stages, the management of security findings still lacks the transformation to modern software development principles. This is problematic for practitioners in industry, as it not only diminishes the efficiency of the software development process but infringes the security of products as well. This thesis addresses this gap by researching and designing a methodology for the management of security findings in modern industrial software development projects. The methodology is based on the requirements arising from the state-of-practice security findings management and modern software development principles. Employing a three-step approach, the data quality of security findings is improved, reactions to each finding decided and the resulting information communicated to stakeholders. To measure the impact of the methodology, it is implemented as platform for the management of security findings and, in collaboration with our industry partner Siemens AG, evaluated in ongoing industrial software development projects. The results indicate the importance of a modernized security findings management process and confirm the relevance of our methodology for industrial practice. The main contribution of this thesis is the methodology for the management of security findings in modern industrial software development projects. With its implementation as platform and evaluation in real-world projects, it contributes to the software engineering domain and industrial practice alike. Moreover, it yields several advancements in the areas of Knowledge Engineering, Software Security, and Natural Language Processing.