Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

Weir, Charles; Becker, Ingolf; Noble, James; Blair, Lynne; Sasse, M. Angela; Rashid, Awais

doi:10.1002/spe.2774

Cited by 22 publications

(38 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Its advantage over SATs is primarily that it can operate on code where the full source is not available, such as with apps with third-party libraries that download and run code during execution. Both static and dynamic analysis provide useful insights for testing, but neither are comprehensive [102]. While we focus on SATs in this paper, our findings would likely apply to dynamic analysis notification content as well.…”

Section: Static Analysis Tools (Sats)mentioning

confidence: 97%

“…SATs can work without needing to run the code itself so they can be integrated into IDEs or even work off of websites which makes it easier for developers to find and fix defects earlier in the development process rather than waiting till the test and production stages. SATs are recommended as the first line of defence against vulnerabilities [102], and developers have previously acknowledged their usefulness in finding security vulnerabilities [97]. Various academic researchers recommend developers use SATs [45,58,86,101,102], and they are also used by large technology companies such as Microsoft [22,91], Facebook [31], and Google [5,7,82,83], as well as in open-source projects such as Linux, Firefox, and Qt [14,48,99,105].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools' notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy. CCS CONCEPTS• Human-centered computing → Empirical studies in HCI; • Security and privacy → Usability in security and privacy; Software and application security.

show abstract

Section: Static Analysis Tools (Sats)mentioning

confidence: 97%

Section: Introductionmentioning

confidence: 99%

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…• Motivate developers to drive their own security improvements [36]; • Encourage developers to adopt a subset of key assurance techniques, specifically Threat Assessment, Configuration Review, Automated Static Analysis, Source Code Review, and Penetration Testing [36];…”

Section: The Interventionmentioning

confidence: 99%

“…• Incentivization Session, and • Threat Assessment Based on early trials of a workshop-based intervention [36] we concluded two further requirements:…”

Section: The Interventionmentioning

confidence: 99%

“…This research project addresses the objective of defining a cost-effective intervention to support software development teams in creating secure products and services. In earlier work the authors identified requirements and an approach using workshops to sensitize developers to the importance of security [36]. Based on this they derived a set of requirements for this package (Section III) and concluded the need for objective assessment of its impact.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Passion for Security: Intervening to Help Software Developers

Weir

Becker

Blair

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

Self Cite

View full text Add to dashboard Cite

While the techniques to achieve secure, privacypreserving software are now well understood, evidence shows that many software development teams do not use them: they lack the 'security maturity' to assess security needs and decide on appropriate tools and processes; and they lack the ability to negotiate with product management for the required resources. This paper describes a measuring approach to assess twelve aspects of this security maturity; its use to assess the impact of a lightweight package of workshops designed to increase security maturity; and a novel approach within that package to support developers in resource negotiation. Based on trials in eight organizations, involving over 80 developers, this paper demonstrates that (1) development teams can notably improve their security maturity even in the absence of security specialists; and (2) suitably guided, developers can find effective ways to promote security to product management. Empowering developers to make their own decisions and promote security in this way offers a powerful grassroots approach to improving the security of software worldwide.

show abstract

Transformation of Cybersecurity Posture in IT Telecommunication: A Case Study of a Telecom Operator

Mohamed

Sarwar²,

Hosseinian-Far³

2021

Cybersecurity, Privacy and Freedom Protection in the Connected World

View full text Add to dashboard Cite

Organisations are facing sophisticated and advanced persistent threats (APT) that are targeting sensitive information assets. Any form of cyber-presence can be typically attacked by adversaries, and the motives of such attacks are context dependent. Besides, users and organisations are prone to software vulnerabilities, misconfigurations, outdated systems and several other systemic deficiencies which can be leveraged to compromise enterprise assets and gain an initial foothold within an organisation network. The aim of the paper is to develop a flexible and generally comprehensive organisational strategy to defend against the massive increase in cyberattacks, in order to protect the strategic business objectives of an organisation and keep an alignment between business objectives and security. Moreover, this paper reflects on the work undertaken by multiple teams within the chosen case study organisation to enhance the cybersecurity.

show abstract

Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

Cited by 22 publications

References 46 publications

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

A Passion for Security: Intervening to Help Software Developers

Transformation of Cybersecurity Posture in IT Telecommunication: A Case Study of a Telecom Operator

Contact Info

Product

Resources

About