Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for Developers

Weir, Charles; Becker, Ingolf; Noble, James; Blair, Lynne; Sasse, M. Angela; Rashid, Awais

doi:10.1109/icse-seip.2019.00013

Cited by 12 publications

(19 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Such behaviours and attitudes are valuable in organisations that prioritise security [35]. Peer developers view Security Champions as essential players in software security [70,77,78]. They can be an experienced hacker who helps testers in fnding vulnerabilities [74], an intermediary between the security and development teams [25,70], or the leader in threat modelling activities [10,63].…”

Section: Related Workmentioning

confidence: 99%

Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges

Tahaei

Frik

Vaniea

2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Software development teams are responsible for making and implementing software design decisions that directly impact end-user privacy, a challenging task to do well. Privacy Champions-people who strongly care about advocating privacy-play a useful role in supporting privacy-respecting development cultures. To understand their motivations, challenges, and strategies for protecting end-user privacy, we conducted 12 interviews with Privacy Champions in software development teams. We fnd that common barriers to implementing privacy in software design include: negative privacy culture, internal prioritisation tensions, limited tool support, unclear evaluation metrics, and technical complexity. To promote privacy, Privacy Champions regularly use informal discussions, management support, communication among stakeholders, and documentation and guidelines. They perceive code reviews and practical training as more instructive than general privacy awareness and on-boarding training. Our study is a frst step towards understanding how Privacy Champions work to improve their organisation's privacy approaches and improve the privacy of enduser products. CCS CONCEPTS• Human-centered computing → Empirical studies in collaborative and social computing; • Security and privacy → Usability in security and privacy; • Social and professional topics → Software management.

show abstract

Section: Related Workmentioning

confidence: 99%

Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges

Tahaei

Frik

Vaniea

2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…• Network Effect -Choosing solutions based on the number of their users. Group behavior is also observed in case of assurance mechanisms [30]- [32], [43], [54]…”

Section: Biasmentioning

confidence: 99%

“…• Organizational Goals -Software development methods rush for functionality. Developers need regular motivation and organization push [2]- [4], [28], [30], [33], [36], [40], [55]- [58] Take-away. The API providers are ideally placed to collaborate with developers and link the security benefits and pitfalls of how their APIs are used.…”

Section: Incentivesmentioning

confidence: 99%

See 1 more Smart Citation

Developers Are Neither Enemies Nor Users: They Are Collaborators

Chowdhury

Hallett

Patnaik

et al. 2021

2021 IEEE Secure Development Conference (SecDev)

Self Cite

View full text Add to dashboard Cite

Developers struggle to program securely. Prior works have reviewed the methods used to run user-studies with developers, systematized the ancestry of security API usability recommendations, and proposed research agendas to help understand developers' knowledge, attitudes towards security and priorities. In contrast we study the research to date and abstract out categories of challenges, behaviors and interventions from the results of developer-centered studies. We analyze the abstractions and identify five misplaced beliefs or tropes about developers embedded in the core design of APIs and tools. These tropes hamper the effectiveness of interventions to help developers program securely. Increased collaboration between developers, security experts and API designers to help developers understand the security assumptions of APIs alongside creating new useful abstractions-derived from such collaborations-will lead to systems with better security.

show abstract

“…This paper presents research into these questions: a survey of security professionals who work with software developers to address the first question and, based on the results, the subsequent creation and trials of a package, “Developer Security Essentials,” to address the second. It expands on an earlier paper by the authors, incorporating new longitudinal data from interviews one year after the intervention (Section 6.7), a comparison of the activities of different teams (Section 5.3), a more extensive literature survey (Section 2), and a discussion of “Blockers and Motivators” encountered by the different teams (Section 6.7).…”

Section: Introductionmentioning

confidence: 98%

Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

et al. 2019

Self Cite

View full text Add to dashboard Cite

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team's motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a participatory action research field study where we delivered the workshops to three software development organizations and evaluated their effectiveness through interviews beforehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience and that improvement is long-lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.

show abstract

Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for Developers

Cited by 12 publications

References 20 publications

Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges

Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges

Developers Are Neither Enemies Nor Users: They Are Collaborators

Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

Contact Info

Product

Resources

About