Generating Software Security Knowledge Through Empirical Methods

A mature field requires researchers who are able to analyze and synthesize research to draw deeper, more meaningful conclusions. As a research area matures there is often a sharp increase in the number of research reports and results made available. With this increase, it is important to perform secondary studies that summarize results and provide an overview of the area. Methodologies exist for various types of secondary studies (i.e. systematic literature reviews and systematic mapping studies), which have been extensively used in evidence-based medicine and and software engineering. Secondary studies are less common in security engineering. However, a general trend toward more empirical studies in software security and evidence-based software security engineering has led to an increased focus on systematic research methods.