TY - CHAP
T1 - Aggregating Industrial Security Findings with Semantic Similarity-Based Techniques
AU - Voggenreiter, Markus
AU - Schneider, Phillip
AU - Gulraiz, Abdullah
N1 - Publisher Copyright:
© 2024, The Author(s), under exclusive license to Springer Nature Switzerland AG.
PY - 2024
Y1 - 2024
N2 - In the last years, the unification of software development and operation teams has become a common trend for the industrial software development lifecycle. Affecting various aspects of software development, security activities are an essential field of application for these DevOps principles. A common practice arising from this trend is the automation of security tests analyzing the software product from multiple perspectives. Amongst others, this introduces the challenge of duplicate security findings being reported. To identify and eliminate these, security professionals have to invest time, effort, and domain expertise. In this article, we present our previous research on the automation of this aggregation process by semantic similarity-based clustering and extend it by applying it to three different industrial projects. Our results show the potential of latent semantic indexing (LSI) for the aggregation of industrial security findings from automated security testing.
AB - In the last years, the unification of software development and operation teams has become a common trend for the industrial software development lifecycle. Affecting various aspects of software development, security activities are an essential field of application for these DevOps principles. A common practice arising from this trend is the automation of security tests analyzing the software product from multiple perspectives. Amongst others, this introduces the challenge of duplicate security findings being reported. To identify and eliminate these, security professionals have to invest time, effort, and domain expertise. In this article, we present our previous research on the automation of this aggregation process by semantic similarity-based clustering and extend it by applying it to three different industrial projects. Our results show the potential of latent semantic indexing (LSI) for the aggregation of industrial security findings from automated security testing.
KW - DevOps
KW - Duplicate identification
KW - Large language models
KW - Latent semantic indexing
KW - Natural language processing
KW - Security findings management
KW - Software development
KW - Vulnerability
UR - http://www.scopus.com/inward/record.url?scp=85182477097&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-44260-5_7
DO - 10.1007/978-3-031-44260-5_7
M3 - Chapter
AN - SCOPUS:85182477097
T3 - Signals and Communication Technology
SP - 121
EP - 139
BT - Signals and Communication Technology
PB - Springer Science and Business Media Deutschland GmbH
ER -