Security Risk Assessment in Software Development Projects
Abstract
Software security is increasing in importance, linearly with vulnerabilities caused by software flaws. It is not possible to spend all the project s resources on software security. To spend the resources given to security in an effective way, one should know what is most important to protect. By performing a risk analysis the project know which vulnerabilities they face. A risk analysis will prioritise the vulnerabilities, and when the vulnerabilities are prioritised the project know where they should focus their security measures. In software development, risk is usually defined as probability times consequence of an exposed vulnerability. This Master s Thesis investigate the current state of practice for risk assessment in software project. While doing so, it also investigate the effect risk assessments have on software projects and what is perceived as benefits and drawbacks.
During the project a survey were sent out to 200 different organisations, were 21 decided to answer. The survey provided initial data for the current state of practice for risk assessment in software project. At the end of the survey participants could choose to continue to contribute by volunteering to an interview. 8 of the survey participants volunteered to an interview. Results show that 61.9% of the survey participants performed risk assessments for information security in their project. Further, 46.6% reevaluated the risk continuously and the biggest difficulties were lack of time and budget. The interviews resulted in an understanding of the problems organisations face when it come to the risk assessments, such as economical shortcomings. Interviews also showed variation in training of the developers in the projects.
Based on the survey results and the interviews I conclude that it is mostly the larger organisations who perform risk assessments, while the smaller do not want to spend resources on it. Interviews show that the effect of the risk assessment go beyond the software and have a positive effect on the mindset of developers and the culture of the organisation, while the biggest drawback is the economical aspect. Most importantly is the ability to solve problems when they occur, and risk assessment is a great tool for the organisation to be prepared.