TUHH Open Research
Help
  • Log In
    New user? Click here to register.Have you forgotten your password?
  • English
  • Deutsch
  • Communities & Collections
  • Publications
  • Research Data
  • People
  • Institutions
  • Projects
  • Statistics
  1. Home
  2. TUHH
  3. Publications
  4. A taxonomy of functional security features and how they can be located
 
Options

A taxonomy of functional security features and how they can be located

Citation Link: https://doi.org/10.15480/882.15256
Publikationstyp
Journal Article
Date Issued
2025-05-28
Sprache
English
Author(s)
Hermann, Kevin  
Schneider, Simon Malte  
Software Security E-22  
Tony, Catherine  orcid-logo
Software Security E-22  
Yardim, Asli  
Peldszus, Sven  
Berger, Thorsten  
Scandariato, Riccardo  
Software Security E-22  
Sasse, M. Angela  
Naiakshina, Alena  
TORE-DOI
10.15480/882.15256
TORE-URI
https://hdl.handle.net/11420/55836
Journal
Empirical software engineering  
Volume
30
Issue
5
Article Number
117
Citation
Empirical Software Engineering 30 (5): 117 (2025)
Publisher DOI
10.1007/s10664-025-10649-7
Scopus ID
2-s2.0-105006654388
Publisher
Springer
Security must be considered in almost every software system. Unfortunately, selecting and implementing security features remains a challenge due to the wide variety of security threats and possible countermeasures. While security standards are intended to help developers, they are usually too abstract and vague to help implementing security features, or they merely help configuring such. A resource that describes security features at an abstraction level that lies between high-level (i.e., rather too general) and low-level (i.e., rather too specific) security standards could facilitate secure systems development. This resource should support the selection of appropriate security features to achieve high-level security goals, allow easy retrieval of relevant low-level details, and provide pointers to suitable ways to realize the security features. To realize security features, developers typically use external security libraries or frameworks, to minimize implementation mistakes. Even when using libraries, developers still make mistakes when writing code to integrate them, often resulting in security vulnerabilities. When security incidents occur or the system needs to be audited or maintained, it is essential to know what security features have been implemented and, more importantly, where they are located. This task, commonly referred to as feature location, is often tedious and error-prone. While dedicated feature location techniques exist, they require significant manual effort or adherence to strict development processes, preventing their use. Therefore, we have to support long-term tracking of implemented security features. We present a study of security features presented in the literature and their coverage in popular security frameworks. We contribute (1) a taxonomy of 68 functional implementation-level security features including a mapping to widely used security standards, (2) an examination of 21 popular security frameworks concerning which of these security features they provide, and (3) a discussion on the representation of security features in source code. Our taxonomy aims to aid developers in selecting appropriate security features and security frameworks, as well as relating them to security standards when they need to choose and implement security features for a software system.
Subjects
Feature location | Security | Security features | Security frameworks | Security standard
DDC Class
004: Computer Sciences
005.8: Computer Security
658: General Managament
Publication version
publishedVersion
Lizenz
https://creativecommons.org/licenses/by/4.0/
Loading...
Thumbnail Image
Name

s10664-025-10649-7.pdf

Type

Main Article

Size

3.71 MB

Format

Adobe PDF

TUHH
Weiterführende Links
  • Contact
  • Send Feedback
  • Cookie settings
  • Privacy policy
  • Impress
DSpace Software

Built with DSpace-CRIS software - Extension maintained and optimized by 4Science
Design by effective webwork GmbH

  • Deutsche NationalbibliothekDeutsche Nationalbibliothek
  • ORCiD Member OrganizationORCiD Member Organization
  • DataCiteDataCite
  • Re3DataRe3Data
  • OpenDOAROpenDOAR
  • OpenAireOpenAire
  • BASE Bielefeld Academic Search EngineBASE Bielefeld Academic Search Engine
Feedback