best practices

Applying proven security controls and processes across design, development, and operations to reduce risk; doing this involves implementing least privilege and defense-in-depth, input validation and output encoding, encryption in transit and at rest, secrets management (Vault, KMS), dependency scanning, secure coding standards, patching, threat modeling and incident response planning.

bestpractices

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

A Taxonomy of Functional Security Features and How They Can Be Located

Jan 08, 2025
KH
Kevin Hermann
🏛️ Ruhr University Bochum | Hamburg University of Technology | Chalmers University of Technology | University of Gothenburg

In software development, selecting appropriate security features is challenging due to ambiguous standards, framework-specific vulnerabilities, and the absence of traceable, implementation-level security feature identifiers. Method: This paper proposes a fine-grained, implementation-oriented security feature taxonomy comprising 68 extensible characteristics; establishes systematic mappings between these features and major security standards (e.g., ISO/IEC 27001, NIST SP 800-53); and conducts reverse-engineering–driven, source-code–based feature modeling to empirically assess the support coverage of 21 widely adopted frameworks (e.g., Spring Security, OAuth 2.0). Contribution/Results: We present the first three-layer alignment—across security standards, framework capabilities, and source-code–level features—enabling precise security feature selection, implementation-level traceability, and long-term compliance auditing. The resulting taxonomy provides a structured semantic foundation and end-to-end traceability for secure software engineering.

Security StandardsSoftware SecurityVulnerability Management

Must-Read Papers

Most classic and influential ideas
View more

Automated Reasoning for Vulnerability Management by Design

Jul 08, 2025
AS
Avi Shaked
🏛️ University of Oxford | IRIT | CNRS | UT2

Existing vulnerability management approaches lack systematic reasoning capabilities for the vulnerability posture during system design, hindering proactive security control design. This paper introduces the first automated vulnerability reasoning mechanism tailored for the design phase, leveraging formal modeling and automated reasoning to support end-to-end vulnerability identification, mitigation option generation, and security control specification. The mechanism is deeply integrated into an open-source security design tool and validated in real-world industrial settings: it accurately identifies applicable vulnerabilities and significantly improves both the accuracy and efficiency of security control design, thereby shifting vulnerability management from reactive response to design-driven assurance. Its core contribution lies in establishing verifiable, formal relationships among design artifacts, vulnerabilities, and security controls—addressing a critical gap in automation-enabled security left-shifting.

Automated identification of design-specific vulnerabilitiesFormal specification of mitigation controls for vulnerabilitiesSystematic reasoning about system vulnerability postures

To address the challenges of complex security control configuration, difficult policy enforcement, and delayed response in networked systems, this paper proposes a Security Capability Model (SCM). The SCM establishes, for the first time, a computable abstract framework integrating information and data models, formally specifying rule semantics, policy parsing mechanisms, and data representations for filtering- and channel-protection–based controls. Leveraging UML/SysML modeling, Model-Driven Engineering (MDE), and a multi-granularity security control description language, the approach enables automated policy refinement, cross-heterogeneous-device (e.g., firewalls, encrypted gateways) configuration generation, and event-driven response. Experimental evaluation demonstrates a threefold improvement in policy deployment timeliness and a 40% increase in configuration accuracy, thereby filling a critical gap in the formal foundations for automated security policy enforcement.

OptimizationSecurity ControlsThreat Response

To address the challenges of identifying static security vulnerabilities in proprietary and open-source software, unclear vulnerability remediation priorities, and escalating software supply chain risks, this paper proposes an end-to-end, customizable Static Application Security Testing (SAST) workflow. The workflow enables multi-tool orchestration, iterative scanning, and seamless DevSecOps integration, incorporating AI-driven vulnerability prioritization and automated remediation governance as key innovations. Leveraging a generalized process design with environment-adaptive configuration, it significantly improves detection coverage and remediation efficiency. Experimental evaluation in industrial settings demonstrates that the approach reduces source-code-level vulnerabilities by 32.7%, mitigates third-party component–introduced risks by 41.5%, and ensures backward compatibility with legacy systems while supporting scalable deployment across heterogeneous environments.

Creating configurable DevSecOps workflow for prioritized vulnerability remediationDeveloping adaptable process for scanning proprietary and open-source software vulnerabilitiesReducing source code vulnerabilities and supply chain risks in SDLC

This study addresses the automated selection of an optimal subset of security controls from large, standardized control catalogs (e.g., ITSG-33) under budget constraints, inter-control dependencies, and heterogeneous effectiveness. Method: We propose the first approach that algebraically models control dependencies within a zero-sum game framework, formalizing attacker–defender interaction as a single two-player zero-sum game to enable scalable, interpretable, and catalog-aware control selection. Contribution/Results: A Python-based prototype tool was developed and evaluated on a Canadian military system case study. Results demonstrate significant improvements in security objective attainment and budget utilization efficiency, while providing actionable, auditable decision support for critical information infrastructure protection.

Balancing budget, effectiveness, and dependencies among security controls.Selecting effective security controls from large standardized catalogues.Using game theory to guide decision-making for secure system development.

Enhancing Energy Sector Resilience: Integrating Security by Design Principles

Feb 18, 2024
DS
Dov Shirtz
🏛️ Ben-Gurion University | Shamoon College of Engineering

Energy-sector industrial control systems (ICS) exhibit insufficient security resilience and overreliance on reactive, post-incident remediation. Method: This paper proposes a layered, implementable Security-by-Design (SbD) framework and a deployable set of security requirements tailored to critical infrastructure. Integrating systems engineering, ICS-specific security architecture, organizational behavior principles, and continuous monitoring, the approach spans the entire lifecycle—design, development, deployment, and operations—while ensuring alignment with IEC 62443 and NIST SP 800-82. Contribution/Results: It represents the first systematic, end-to-end operationalization of SbD in energy ICS contexts, enabling a paradigm shift from passive incident response to inherent, “native immunity.” The resulting scalable, auditable, and standards-coordinated SbD implementation guide supports the development of high-assurance, resilient, and sustainably evolvable cybersecurity ecosystems.

Enhancing energy sector resilience through Security by Design (SbD) principlesEstablishing an SbD-driven ecosystem to combat cyber threats effectivelyIntegrating SbD in industrial control systems lifecycle for robust security

Latest Papers

What's happening recently
View more

Aligning Security Compliance and DevOps: A Longitudinal Study

Dec 16, 2025
FM
Fabiola Moyón
🏛️ Siemens Foundational Technologies | fortiss | Blekinge Institute of Technology | University of Applied Sciences

A structural tension exists between DevOps agility and security compliance requirements—particularly IEC 62443-4-1—in critical infrastructure domains. Method: This study proposes and empirically validates RefA, a security-compliance-adapted DevOps lifecycle framework. RefA introduces actionable, non-security-expert-oriented processes via standardized security activity integration, cross-functional knowledge transfer mechanisms, and organizational change support. It employs IEC 62443-4-1–driven process modeling, longitudinal empirical research, and industrial-grade DevOps adaptation techniques, validated across multiple phases at Siemens AG. Contribution/Results: RefA demonstrably enhances product teams’ autonomous capability to implement compliant DevOps practices, strengthens security-by-design maturity, and improves delivery efficiency—thereby systematically bridging the agility–compliance gap in safety-critical contexts.

Adapting DevOps for critical infrastructure security standardsAligning security compliance with agile DevOps workflowsTransferring compliance knowledge to cross-functional product teams

Language-based Security and Time-inserting Supervisor

May 22, 2025
DP
Damas P. Gruska
🏛️ Comenius University

This paper addresses the problem of enforcing language-level safety supervision over unsafe processes under partial observability—where both system behavior and attacker strategies are incompletely known—and seeks to guarantee safety specifications via selective action disabling or timed action injection. Methodologically, it innovatively integrates algebraic language theory with discrete-event system modeling to propose, for the first time, a time-aware supervisory framework supporting dynamic safety correction. The paper establishes necessary and sufficient conditions for supervisor existence, rigorously characterizing its controllability, nonblockingness, and minimal intervention properties. It further proves that language-inclusion-based safety can be guaranteed even under partial observability. These results provide a formal foundation and constructive methodology for real-time safety control in resource-constrained and information-poor environments.

Analyzing supervisor existence under partial information conditionsDefining language-based security for processes algebraicallySupervisor controls actions to secure insecure processes

Enhancing Software Supply Chain Security Through STRIDE-Based Threat Modelling of CI/CD Pipelines

Jun 06, 2025
SD
Sowmiya Dhandapani
🏛️ Independent Cyber Security Researcher

This paper addresses the insufficient identification and mitigation of software supply chain security risks throughout the CI/CD pipeline lifecycle. We propose a structured threat modeling methodology grounded in the STRIDE framework, applied incrementally across core infrastructure components—including GitHub, Jenkins, Docker, and Kubernetes—to cover all phases from source code management to production deployment. A novel integration of STRIDE with the SLSA maturity model enables quantitative assessment of how specific security controls elevate SLSA compliance levels. By unifying Security as Code principles with the “Shift Left–Shield Right” paradigm, our approach realizes threat-driven, automated security enforcement. The outcomes include a structured threat–control mapping matrix and an actionable CI/CD security hardening roadmap, directly supporting DevSecOps adoption and progressive SLSA compliance advancement.

Analyzing vulnerabilities from source code to deployment with GitHub, Jenkins, Docker, KubernetesEnhancing CI/CD security via NIST, OWASP, and SLSA-based controls and toolchain integrationIdentifying and mitigating risks in CI/CD pipelines using STRIDE threat modeling

A Systematic Mapping Study on Risks and Vulnerabilities in Software Containers

Dec 12, 2025
MS
Maha Sroor
🏛️ University of Jyvaskyla | University of Oulu

Container technologies are widely adopted, yet their full lifecycle entails significant security risks; existing software engineering literature lacks systematic, empirically grounded integration of container security knowledge. To address this gap, we conducted a systematic mapping study (SMS) complemented by bibliometric analysis and thematic coding across 129 empirical studies. Our work introduces the first structured, evidence-based taxonomy of security risks for containerized systems—identifying 23 core risk categories and vulnerabilities, explicating their root causes and impacts, and synthesizing reusable mitigation strategies. Additionally, we catalog 47 security practices and tools. The taxonomy enables cross-phase risk mapping—from development through deployment—and integrates fragmented knowledge into a coherent framework. It establishes a theoretical benchmark for container security research and delivers actionable, engineering-oriented guidance for practitioners.

Identifies security risks in container development and deploymentOrganizes knowledge on vulnerabilities across container lifecycleProposes mitigation techniques and security practices for containers

Security Debt in Practice: Nuanced Insights from Practitioners

Jul 15, 2025
CB
Chaima Boufaied
🏛️ University of Calgary | Trent University | Prince Sultan University

This study addresses the ambiguity in recognizing security debt (SD), fragmented management practices, and insufficient cross-role communication—challenges exacerbated by delivery pressure and resource constraints in software development. Through semi-structured interviews with 22 practitioners from diverse countries and roles (development, security, operations), complemented by qualitative analysis grounded in both software engineering (SE) and information security (InfoSec) perspectives, the research systematically identifies SD root causes, propagation pathways, and trade-off mechanisms. It is the first to empirically reveal significant inter-role discrepancies in security risk perception, priority assessment, and tool adoption. The study proposes an integrated framework embedding the CIA triad (Confidentiality, Integrity, Availability) into each phase of the software development lifecycle (SDLC). Findings validate the necessity of enforcing consistent security policies, dynamically balancing resources, and enabling cross-level risk communication—providing empirical foundations and actionable pathways for systemic SD governance.

Communication of security risks within teams and to decision makersHow practitioners perceive and manage security debtsTools and strategies used to mitigate security debts

Hot Scholars

LW

Laurie Williams

North Carolina State University, Computer Science, Distinguished Univ Prof, IEEE Fellow, ACM Fellow
Software EngineeringSoftware SecurityAgile Software DevelopmentEmpirical Software Engineering
YA

Yasemin Acar

Paderborn University & The George Washington University
KH

Kevin Hermann

IT PhD student, Ruhr-University Bochum
IT SecurityFeature TracingSoftware Engineering
TB

Thorsten Berger

Professor of Computer Science, Ruhr University Bochum
Software EngineeringAI EngineeringSoftware Product LinesModel-Driven Engineering
SP

Sven Peldszus

Ruhr-University Bochum
SecuritySecurity-by-designModel-based DevelopmentStatic Analysis