Perceptions of Practitioners on Security-Related Software Testing in a Mobile Software Development Company
Resumo
Context: The concern with the security of software assets increases and makes the companies seek guarantees that the data stored by them is safe from unauthorized access and theft. These concerns are also applicable to the mobile software context and, as the devices have various capabilities, many security breaches may occur and expose users’ data. Thus, to guarantee security, the software testing process also includes security-related tests. Objective: empirically analyze the perceptions of practitioners from the mobile software testing environment on security-related testing topics. Method: A survey was performed among 49 software testing practitioners from a mobile software development company in Brazil regarding their perception of security testing practices. Results: We observed that there is a concern about security among the practitioners. On the other hand, the respondents indicated that there is also a lack of knowledge about the topics discussed. Conclusions: the results showed the general importance of the security testing practices by the practitioners as well as triggered the need for the creation of methods and techniques for better integration of security testing practices in the mobile software development, and also reinforced the need for improving the security culture in organizations.
Palavras-chave:
Security, Software Testing, Survey, Mobile Software development
Referências
Amanda Andress. 2003. Surviving security: how to integrate people, process, and technology. Auerbach Publications.
BRASIL. 2019. Código Civil. Lei Nº 13.853. “Lei Geral de Proteção de Dados Pessoais (LGPD).”. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
V Braun and V Clarke. 2012. Thematic analysis In Cooper H, Camic PM, Long DL, Panter AT, Rindskopf D, & Sher KJ (Eds.), APA handbook of research methods in psychology, Vol 2: Research designs: Quantitative, qualitative, neuropsychological, and biological (pp. 57–71). Washington, DC: American Psychological Association.[Google Scholar] (2012).
Lee Copeland. 2004. A practitioner's guide to software test design. Artech House.
Arilo Claudio Dias-Neto, Santiago Matalonga, Martín Solari, Gabriela Robiolo, and Guilherme Horta Travassos. 2017. Toward the characterization of software testing practices in South America: looking at Brazil and Uruguay. Software Quality Journal 25, 4 (2017), 1145–1183.
André Bittencourt do Valle. 2015. Fundamentos do gerenciamento de projetos. Editora FGV.
Michael Felderer, Matthias Büchler, Martin Johns, Achim D Brucker, Ruth Breu, and Alexander Pretschner. 2016. Security testing: A survey. In Advances in Computers. Vol. 101. Elsevier, 1–51.
Alessio Ferrari, Paola Spoletini, Muneera Bano, and Didar Zowghi. 2020. SaPeer and ReverseSaPeer: teaching requirements elicitation interviews with role-playing and role reversal. Requirements Engineering 25, 4 (2020), 417–438.
OWASP Foundation. 2020. OWASP Mobile Security Testing Guide. https://owasp.org/www-project-mobile-security-testing-guide/
OWASP Foundation. 2020. OWASP Web Security Testing Guide v4. https://www.owasp.org/index.php/OWASP_Testing_Project
William B Frakes and Kyo Kang. 2005. Software reuse research: Status and future. IEEE transactions on Software Engineering 31, 7 (2005), 529–536.
Antonio Carlos Gil. 2008. Métodos e técnicas de pesquisa social. 6. ed. Ediitora Atlas SA.
ISO Iso. 2001. Iec 9126-1: Software engineering-product quality-part 1: Quality model. Geneva, Switzerland: International Organization for Standardization 21 (2001).
ISO/IEC. 2011. ISO/IEC 25010:2011 Systems and software engineering - Systems and software Quality Requirements and Evaluation (SQuaRE) - System and software quality models. https://www.iso.org/standard/35733.html
Mark Kasunic. 2005. Designing an effective survey. Technical Report. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.
Mariantonietta La Polla, Fabio Martinelli, and Daniele Sgandurra. 2012. A survey on security for mobile devices. IEEE communications surveys & tutorials 15, 1 (2012), 446–471.
Mauricio Rocha Lyra. 2015. Governança da segurança da informação. Brasília: nd (2015).
Glenford J Myers, Corey Sandler, and Tom Badgett. 2011. The art of software testing. John Wiley & Sons.
Matthew T Patrick. 2020. Exploring software reusability metrics with Q&A forum data. Journal of Systems and Software 168 (2020), 110652.
Bruce Potter and Gary McGraw. 2004. Software security testing. IEEE Security & Privacy 2, 5 (2004), 81–85.
Bruce Potter and Gary McGraw. 2004. Software security testing. IEEE Security & Privacy 2, 5 (2004), 81–85.
Pradeo. 2020. Mobile Security Report: The current mobile threat landscape. https://www.pradeo.com/en-US/datasheet/mobile-security-threat-report
Cleber Cristiano Prodanov and Ernani Cesar De Freitas. 2013. Metodologia do trabalho científico: métodos e técnicas da pesquisa e do trabalho acadêmico-2ª Edição. Editora Feevale.
General Data Protection Regulation. 2016. Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016. Official Journal of the European Union (2016).
David Rydning, John Reinsel, and John Gantz. 2018. The digitization of the world from edge to core. Framingham: International Data Corporation (2018), 16.
Pedro Santos, Mariana Peixoto, and Jéssyka Vilela. 2021. Understanding the information security culture of organizations: Results of a Survey. In XVII Brazilian Symposium on Information Systems. 1–8.
Jéssyka Vilela and Alessio Ferrari. 2021. SaPeer Approach for Training Requirements Analysts: An Application Tailored to a Low-resource Context.. In REFSQ. 191–207.
Wandera. 2020. Mobile Threat Landscape Report 2020. https://www.wandera.com/mobile-threat-landscape/
Claes Wohlin, Per Runeson, Martin Höst, Magnus C Ohlsson, Björn Regnell, and Anders Wesslén. 2012. Experimentation in software engineering. Springer Science & Business Media.
Chris Wysopal, Lucas Nelson, Elfriede Dustin, and Dino Dai Zovi. 2006. The art of software security testing: identifying software security flaws. Pearson Education.
BRASIL. 2019. Código Civil. Lei Nº 13.853. “Lei Geral de Proteção de Dados Pessoais (LGPD).”. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
V Braun and V Clarke. 2012. Thematic analysis In Cooper H, Camic PM, Long DL, Panter AT, Rindskopf D, & Sher KJ (Eds.), APA handbook of research methods in psychology, Vol 2: Research designs: Quantitative, qualitative, neuropsychological, and biological (pp. 57–71). Washington, DC: American Psychological Association.[Google Scholar] (2012).
Lee Copeland. 2004. A practitioner's guide to software test design. Artech House.
Arilo Claudio Dias-Neto, Santiago Matalonga, Martín Solari, Gabriela Robiolo, and Guilherme Horta Travassos. 2017. Toward the characterization of software testing practices in South America: looking at Brazil and Uruguay. Software Quality Journal 25, 4 (2017), 1145–1183.
André Bittencourt do Valle. 2015. Fundamentos do gerenciamento de projetos. Editora FGV.
Michael Felderer, Matthias Büchler, Martin Johns, Achim D Brucker, Ruth Breu, and Alexander Pretschner. 2016. Security testing: A survey. In Advances in Computers. Vol. 101. Elsevier, 1–51.
Alessio Ferrari, Paola Spoletini, Muneera Bano, and Didar Zowghi. 2020. SaPeer and ReverseSaPeer: teaching requirements elicitation interviews with role-playing and role reversal. Requirements Engineering 25, 4 (2020), 417–438.
OWASP Foundation. 2020. OWASP Mobile Security Testing Guide. https://owasp.org/www-project-mobile-security-testing-guide/
OWASP Foundation. 2020. OWASP Web Security Testing Guide v4. https://www.owasp.org/index.php/OWASP_Testing_Project
William B Frakes and Kyo Kang. 2005. Software reuse research: Status and future. IEEE transactions on Software Engineering 31, 7 (2005), 529–536.
Antonio Carlos Gil. 2008. Métodos e técnicas de pesquisa social. 6. ed. Ediitora Atlas SA.
ISO Iso. 2001. Iec 9126-1: Software engineering-product quality-part 1: Quality model. Geneva, Switzerland: International Organization for Standardization 21 (2001).
ISO/IEC. 2011. ISO/IEC 25010:2011 Systems and software engineering - Systems and software Quality Requirements and Evaluation (SQuaRE) - System and software quality models. https://www.iso.org/standard/35733.html
Mark Kasunic. 2005. Designing an effective survey. Technical Report. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.
Mariantonietta La Polla, Fabio Martinelli, and Daniele Sgandurra. 2012. A survey on security for mobile devices. IEEE communications surveys & tutorials 15, 1 (2012), 446–471.
Mauricio Rocha Lyra. 2015. Governança da segurança da informação. Brasília: nd (2015).
Glenford J Myers, Corey Sandler, and Tom Badgett. 2011. The art of software testing. John Wiley & Sons.
Matthew T Patrick. 2020. Exploring software reusability metrics with Q&A forum data. Journal of Systems and Software 168 (2020), 110652.
Bruce Potter and Gary McGraw. 2004. Software security testing. IEEE Security & Privacy 2, 5 (2004), 81–85.
Bruce Potter and Gary McGraw. 2004. Software security testing. IEEE Security & Privacy 2, 5 (2004), 81–85.
Pradeo. 2020. Mobile Security Report: The current mobile threat landscape. https://www.pradeo.com/en-US/datasheet/mobile-security-threat-report
Cleber Cristiano Prodanov and Ernani Cesar De Freitas. 2013. Metodologia do trabalho científico: métodos e técnicas da pesquisa e do trabalho acadêmico-2ª Edição. Editora Feevale.
General Data Protection Regulation. 2016. Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016. Official Journal of the European Union (2016).
David Rydning, John Reinsel, and John Gantz. 2018. The digitization of the world from edge to core. Framingham: International Data Corporation (2018), 16.
Pedro Santos, Mariana Peixoto, and Jéssyka Vilela. 2021. Understanding the information security culture of organizations: Results of a Survey. In XVII Brazilian Symposium on Information Systems. 1–8.
Jéssyka Vilela and Alessio Ferrari. 2021. SaPeer Approach for Training Requirements Analysts: An Application Tailored to a Low-resource Context.. In REFSQ. 191–207.
Wandera. 2020. Mobile Threat Landscape Report 2020. https://www.wandera.com/mobile-threat-landscape/
Claes Wohlin, Per Runeson, Martin Höst, Magnus C Ohlsson, Björn Regnell, and Anders Wesslén. 2012. Experimentation in software engineering. Springer Science & Business Media.
Chris Wysopal, Lucas Nelson, Elfriede Dustin, and Dino Dai Zovi. 2006. The art of software security testing: identifying software security flaws. Pearson Education.
Publicado
29/05/2023
Como Citar
SOARES, Alexandre; VILELA, Jéssyka; PEIXOTO, Mariana; SANTOS, Diogo; SILVA, Carla.
Perceptions of Practitioners on Security-Related Software Testing in a Mobile Software Development Company. In: SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 19. , 2023, Maceió/AL.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
