Talking About Security with Professional Developers

López, Tamara González; Sharp, Helen; Tun, Thein Than; Bandara, Arosha K.; Levine, Mark; Nuseibeh, Bashar

doi:10.1109/cesser-ip.2019.00014

Cited by 14 publications

(7 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To encourage developer security, there is a need to raise developers' security awareness [127]. This was achieved using playful workshops [128]. However, awareness is only the first step [129], as individuals need to be supported through training to have the ability to perform the expected behavior.…”

Section: Figure 2 Threat Modeling Process [61]mentioning

confidence: 99%

Security risks in the software development lifecycle: A review

Odera¹,

Otieno²,

Ounza³

2023

World J. Adv. Eng. Technol. Sci.

View full text Add to dashboard Cite

Software security is one of the most critical concerns in modern software development, especially in safety-critical systems whose failure can lead to environmental damage, substantial property, or loss of human lives. In addition, flawed applications have been shown to exhibit unpredictable behavior while software products with numerous vulnerabilities present attack vectors that can be exploited by attackers. To address some of these problems, vulnerability prediction has been deployed for early detection of security risks in the software development lifecycle (SDLC). This can potentially facilitate decision making during the SDLC, resulting in the production of more secure software. Prioritizing security during SDLC permits developers and stakeholders to identify and resolve possible security concerns early on in the process. The aim of this paper is therefore to offer some in-depth review of software systems security issues. In addition, the various measures that have been put in place to mitigate security issues during SDLC are discussed.

show abstract

Section: Figure 2 Threat Modeling Process [61]mentioning

confidence: 99%

Security risks in the software development lifecycle: A review

Odera¹,

Otieno²,

Ounza³

2023

World J. Adv. Eng. Technol. Sci.

View full text Add to dashboard Cite

show abstract

“…Hall et al (2008) framed these motivators as 'intrinsic', relating them to self-determination theory (Herzberg 2017). Lopez et al (2019a) concluded that to encourage developer security there is a need to "raise developers' security awareness;" they successfully used 'playful workshops' to do so (Lopez et al 2019b).…”

Section: Motivating Change In Development Teamsmentioning

confidence: 99%

Incorporating software security: using developer workshops to engage product managers

2022

View full text Add to dashboard Cite

Evidence from data breach reports shows that many competent software development teams still do not implement secure, privacy-preserving software, even though techniques to do so are now well-known. A major factor causing this is simply a lack of priority and resources for security, as decided by product managers. So, how can we help developers and product managers to work together to achieve appropriate decisions on security and privacy issues? This paper explores using structured workshops to support teams of developers in engaging product managers with software security and privacy, even in the absence of security professionals. The research used the Design Based Research methodology. This paper describes and justifies our workshop design and implementation, and describes our thematic coding of both participant interviews and workshop discussions to quantify and explore the workshops’ effectiveness. Based on trials in eight organizations, involving 88 developers, we found the workshops effective in helping development teams to identify, promote, and prioritize security issues with product managers. Comparisons between organizations suggested that such workshops are most effective with groups with limited security expertise, and when led by the development team leaders. We also found workshop participants needed minimal guidance to identify security threats, and a wide range of ways to promote possible security improvements. Empowering developers and product managers in this way offers a powerful grassroots approach to improve software security worldwide.

show abstract

“…Their studies highlighted that most developers might have an attitude that security is someone else's responsibility [35], or perceive it as a hindrance [36], or in contrast, consider security to be a shared responsibility [38]. Furthermore, other researchers also emphasized that interaction through a gamification approach is an effective tool to engage developers in security practices as developers often enjoy the physical aspects of a game [39].…”

Section: Related Workmentioning

confidence: 99%

“…As a result, developers can introduce vulnerabilities into the source code, assuming that frameworks or libraries properly handle security by default. Additionally, Lopez et al [39] highlighted that public incidents enable information trading and risk awareness. Developers usually build awareness by expanding on technical information and providing additional scenarios and examples from their personal experiences.…”

Section: D26mentioning

confidence: 99%

DASP: A Framework for Driving the Adoption of Software Security Practices

Larios-Vargas¹,

Elazhary²,

Soroush³

et al. 2022

Preprint

View full text Add to dashboard Cite

Implementing software security practices is a critical concern in modern software development. Industry practitioners, security tool providers, and researchers have provided standard security guidelines and sophisticated security development tools to ensure a secure software development pipeline. But despite these efforts, there continues to be an increase in the number of vulnerabilities that can be exploited by malicious hackers. There is thus an urgent need to understand why developers still introduce security vulnerabilities into their applications and to understand what can be done to motivate them to write more secure code. To understand and address this problem further, we propose DASP, a framework for diagnosing and driving the adoption of software security practices among developers. DASP was conceived by combining behavioral science theories to shape a cross-sectional interview study with 28 software practitioners. Our interviews lead to a framework that consists of a comprehensive set of 33 drivers grouped into 7 higher-level categories that represent what needs to happen or change so that the adoption of software security practices occurs. Using the DASP framework, organizations can design interventions suitable for developers' specific development contexts that will motivate them to write more secure code.

show abstract

Talking About Security with Professional Developers

Cited by 14 publications

References 23 publications

Security risks in the software development lifecycle: A review

Security risks in the software development lifecycle: A review

Incorporating software security: using developer workshops to engage product managers

DASP: A Framework for Driving the Adoption of Software Security Practices

Contact Info

Product

Resources

About