On Fri, Sep 28, 2012 at 10:15 PM, Auburn Study <sse.auburn.st...@gmail.com>wrote:
> Hi All, > > I am a graduate student at Auburn University, working with Dr. Munawar > Hafiz. We are working on an empirical study project to understand the > software engineering practices used in companies that produce secure > software. In particular, we are concentrating on how developers write code > to prevent buffer overflow and integer overflow vulnerabilities. We are > interested in the software development process: how you develop software, > how you test and analyze programs to detect vulnerabilities, and what > processes you follow to remove bugs. We are looking into automated tools > that software developers use, and are expecting that there is a common > insight in the security engineering process that can be reusable. > > We request your assistance by participating in this research study. We > would greatly appreciate it if you would share your experience with us by > answering the questions at the end of this email. We may send some follow > up questions based on your response in future. Your response(s) will be > kept confidential, and will only be aggregated with those of other > responders. Please let us know if you have any questions or concerns > regarding the study. Thanks in advance for your support. > > > > Yasmeen Rawajfih > Software Analysis, Transformations and Security Group > Auburn University > > Working under the supervision of: > Dr. Munawar Hafiz > Assistant Professor > Dept. of Computer Science and Software Engineering > Auburn University > Auburn, AL > http://munawarhafiz.com/ > > > > > > > > > > Questions: (There are eleven questions.) > > 1. How long have you been a software developer? > > > > > > 2. How long have you been affiliated with PHP? Were you part of the > original development team for this software? > > > > 3. What is the size of the current code base? > > > > 4. Did you follow a coding standard when developing this software? Is > it a standard determined by your group? > > > > 5. What did you use to manage bug reports in your software? Does it > satisfy your requirements? Are there other software options that you would > consider switching to? > > > > 6. Did you use any compiler options to detect integer overflow > vulnerabilities? Do you think that they are useful? > > > > 7. Did you use any automated (static or dynamic analysis) tools to > detect buffer overflows, integer overflows, or any other bugs? Which tools > did you use? Why these tools? > > > > 8. Did you use fuzzing? Which tools did you use and why? If you wrote > your own fuzzer, why did you write it yourself? Was it written from scratch > or by extending some other fuzzing tools? > > > > 9. Did you have specific phases during development where you > concentrated on fixing security issues? Did you have a test suite, unit > tests, or regression tests? > > > > > > 10. Buffer overflows often result from the use of unsafe functions, such > as strcpy. Does your software use those? If you use a different string > library, why is it used? Is it an in-house library or an off-the-shelf > library? Did you migrate your code to use the string library? > > > > > 11. The following vulnerability was reported in the SecurityFocus > vulnerability list: [47950]: “PHP'socket_connect()' Function”. Were any > changes made to your development process /practices as a result of the > reported vulnerability? If so, please specify. > CC'ing the internals list as I it has more subscribers from the developers. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
