Safety, security, and configurable software systems: A systematic mapping study

Abstract

Safety and security are important properties of any software system, particularly in safety-critical domains, such as embedded, automotive, or cyber-physical systems. Moreover, particularly those domains also employ highly-configurable systems to customize variants, for example, to different customer requirements or regulations. Unfortunately, we are missing an overview understanding of what research has been conducted on the intersection of safety and security with configurable systems. To address this gap, we conducted a systematic mapping study based on an automated search, covering ten years (2011 - 2020) and 65 relevant (out of 367) publications. We classified each publication based on established security and safety concerns (e.g., CIA triad) as well as the connection to configurable systems (e.g., ensuring security of such a system). In the end, we found that considerably more research has been conducted on safety concerns, but both properties seem under-explored in the context of configurable systems. Moreover, existing research focuses on two directions: Ensuring safety and security properties in product-line engineering; and applying product-line techniques to ensure safety and security properties. Our mapping study provides an overview of the current state-of-the-art as well as open issues, helping practitioners identify existing solutions and researchers define directions for future research.