Hi All,
I am a graduate student at Auburn University, working with Dr. Munawar
Hafiz on an empirical study project to understand the software engineering
practices used in companies that produce secure software. In particular, we
are concentrating on how developers write code to prevent buffer overflow
and integer overflow vulnerabilities. We are interested in the software
development process: how you develop software, how you test and analyze
programs to detect vulnerabilities, and what processes you follow to remove
bugs. We are looking into automated tools that software developers use, and
are expecting that there is a common insight in the security engineering
process that can be reusable.
We request your assistance by participating in this research study. We
would greatly appreciate it if you would share your experience with us by
answering the questions at the end of this email. We may send some follow
up questions based on your response in future. Your response(s) will be
kept confidential, and will only be aggregated with those of other
reporters. Please let us know if you have any questions or concerns
regarding the study. Thanks in advance for your support.
Yasmeen Rawajfih
Software Analysis, Transformations and Security Group
Auburn University
Working under the supervision of:
Dr. Munawar Hafiz
Assistant Professor
Dept. of Computer Science and Software Engineering
Auburn University
Auburn, AL
http://munawarhafiz.com/
Questions: (There are ten questions.)
1. How long have you been a software developer?
2. How long have you been affiliated with GIMP? Were you part of the
original development team for this software?
3. What is the size of the current code base?
4. Did you follow a coding standard when developing this software? Is
it a standard determined by your group?
5. What did you use to manage bug reports in your software? Does it
satisfy your requirements? Are there other software options that you would
consider switching to?
6. Did you use any compiler options to detect integer overflow
vulnerabilities? Do you think that they are useful?
7. Did you use any automated (static or dynamic analysis) tools to
detect buffer overflows, integer overflows, or any other bugs? Which tools
did you use? Why these tools?
8. Did you use fuzzing? Which tools did you use and why? If you wrote
your own fuzzer, why did you write it yourself? Was it written from scratch
or by extending some other fuzzing tools?
9. Did you have specific phases during development where you
concentrated on fixing security issues? Did you have a test suite, unit
tests, or regression tests?
10. Buffer overflows often result from the use of unsafe functions, such
as strcpy. Does your software use those? If you use a different string
library, why is it used? Is it an in-house library or an off-the-shelf
library? Did you migrate your code to use the string library?