Prioritizing Industrial Security Findings in Agile Software Development Projects

Automating repetitive activities is a key principle in most software development approaches employed in the industry. This implies that security activities and all related processes should be investigated for automation capabilities, particularly the management of security findings and vulnerabilities. Considering the limited time available for each release and the vast flood of findings by automated security testing, prioritizing security finding responses is essential. In this paper, we present a partially automated process to prioritize security findings in industrial software development projects. We utilize a two-staged calculation process to produce a prioritization score, representing the finding's severity and factors like stakeholder input alike. This process was evaluated by conducting structured interviews with security professionals while also integrating the approach in ongoing industrial software development projects. The results indicate the potential of the process in terms of usefulness and correctness for agile software development projects.