The fragmentation of the Dutch cybersecurity government landscape is a widely discussed phenomenon among politicians, policy makers, and cybersecurity specialists. Remarkably though, a negative narrative is underlying the idea of fragmentation, suggesting that we are dealing with a serious problem. A problem that has the potential of impeding cybersecurity governance in the Netherlands. This research zooms in on how cybersecurity governance is organised within the central government, and which organisations are concerned with the creation, implementation, and oversight of cybersecurity policies vis à vis Dutch society. This article provides an overview of all central government organisations (de Rijksoverheid) that are involved in cybersecurity governance on a strategic level. This research provides the first step in doctoral research into the possible implications of the fragmentation of cybersecurity governance in the Dutch central government, and how this fragmentation could potentially impact policy creation, implementation, and oversight. Based on the mapping of this governance landscape, it set out to measure fragmentation based on the number of units or organisations that are concerned with cybersecurity governance in the central government on a strategic level. This study has found that based on Boyne's (1992) notion of fragmentation and the Dutch governments’ definition of tiers, the Dutch cybersecurity governance landscape could indeed, when meticulously following Boyne's counting procedure, be regarded as fragmented.

The ever-growing incidence of software vulnera-bilities giving rise to devastating cyber attacks pushes orga-nizations and governments to take software security more seriously. To avoid vulnerabilities, organizations producing software strive to adopt secure software development frame-works (SSDFs). Our mixed-methods study with software development practitioners focuses on the SSD Fs' adoption trends and examines the key factors influencing organizational decisions regarding secure software development. Our findings from a survey ( n=37 ) and interviews ( n=8 ) with software development practitioners indicate that, while being aware of the existing SSDFs, organizations mostly use custom-made frameworks that afford more flexibility and align better with the development processes.

Vulnerability datasets have become an important instrument in software security research, being used to develop automated, machine learning-based vulnerability detection and patching approaches. Yet, any limitations of these datasets may translate into inadequate performance of the developed solutions. For example, the limited size of a vulnerability dataset may restrict the applicability of deep learning techniques. In our work, we have designed and implemented a novel workflow with several heuristic methods to combine state-of-the-art methods related to CVE fix commits gathering. As a consequence of our improvements, we have been able to gather the largest programming language-independent real-world dataset of CVE vulnerabilities with the associated fix commits. Our dataset containing 26,617 unique CVEs coming from 6,945 unique GitHub projects is, to the best of our knowledge, by far the biggest CVE vulnerability dataset with fix commits available today. These CVEs are associated with 31,883 unique commits that fixed those vulnerabilities. Compared to prior work, our dataset brings about a 397% increase in CVEs, a 295% increase in covered open-source projects, and a 480% increase in commit fixes. Our larger dataset thus substantially improves over the current real-world vulnerability datasets and enables further progress in research on vulnerability detection and software security. We release to the community a 14GB PostgreSQL database that contains information on CVEs up to January 24, 2024, CWEs of each CVE, files and methods changed by each commit, and repository metadata. Additionally, patch files related to the fix commits are available as a separate package. Furthermore, we make our dataset collection tool also available to the community.

This research will aim to introduce a comprehensive framework to measure the security of software systems. We plan to enhance and extend the existing security measurement approaches with critical human insights of the mental models of security software development experts because we sense a strong focus on security metrics by these approaches currently. By intertwining security metrics and humans' perception of security, we strive to overcome the well-known hurdles of software security measurement that have long been considered an unsolvable problem. Our proposed solution is captured by the so-called software security evaluation framework.

When organizations invest in security, they need to monitor if their security program is effective and helps them remediate vulnerabilities. For this purpose, many organizations collect security metrics. In this paper, we investigate the current state-of-the-art and state-of-practice of security metrics used to measure security across all phases of software development lifecycle (SDLC). The study focused on gaining multiple perspectives on software security measurement. To this end, we performed a triangulation study that compared security metrics proposed in the academic literature, metrics mentioned in grey literature aimed at software practitioners, and metrics elicited in a focus group workshop with secure software engineering experts.

Our study reports two critical insights. First, our results reveal a significant discrepancy in the utilization of metrics across the different SDLC stages. While the academic literature proposes a comprehensive spectrum, encompassing metrics for both early and late SDLC phases, industry predominantly focuses on the later SDLC stages. This highlights an industry-wide tendency to prioritize security measurement later in the software development process, potentially overlooking early-stage concerns.

Second, our study sheds light on the practitioners' dissatisfaction with the current security metrics. This dissatisfaction highlights the industry's need for more nuanced and effective metrics that can offer both quantitative and qualitative insights to assess security of a software development program.

Our second stakeholder meeting in November 2023 brought together software developers from larger companies and from SME's. Through a series of workshop exercises we discussed with them what security by design means for them and for the organisations they work for.

This report offers an anonymized overview of these discussions, how software developers' minds on what security is can be expanded and what is lacking in the current approach on security by design.

Authors Cristina Del Real, Els De Busser and Bibi van den Berg published their systematic literature review on the definition of security by design and how it compares to privacy by design. In the peer-reviewed article we discuss how existing research from different disciplines looks at security by design and privacy by design and why this leads to divergences and convergences. Our main conclusion is that the definition of security by design is unclear, causing software developers to fill in the concept themselves. Privacy by design has a clearer definition that was endorsed by one author who also gave it more specific guardrails.

The article is published in Computer Law and Security Review and freely accessible via the link below.

C-SIDe project team member Jasmijn Boeken published an opinion piece on how compliance differs from security. She makes an argument for moving from compliance to real security by implementing a care-based stakeholder approach in cyber security for companies. This will assist companies in ethical decision-making and taking responsibility.

Project team members Arina Kudriavtseva and Olga Gadyatskaya published their research titled Secure Software Development Methodologies: A Multivocal Literature Review. Analyzing 28 secure software methodologies from the industry, government and academia, they concluded on what the security practices are. A particular part of the research is the focus on auxiliary or non-technical practices including organizational, behavioral, legal, policy and governance aspects that are incorporated into the methodologies.

‍

Cristina Del-Real, Els De Busser and Bibi van den Berg of the Project C-SIDE team have registered their protocol for a systematic review on security by design and related concepts. This interdisciplinary and integrative review of security by design will provide essential input for the conceptual framework of the C-SIDE methodology.

Our protocol is freely available to download. Follow the link below.