Implementing software security practices is a critical concern in modern software development. Industry practitioners, security tool providers, and researchers have provided standard security guidelines and sophisticated security development tools to ensure a secure software development pipeline. But despite these efforts, there continues to be an increase in the number of vulnerabilities that can be exploited by malicious hackers. There is thus an urgent need to understand why developers still introduce security vulnerabilities into their applications and to understand what can be done to motivate them to write more secure code. To understand and address this problem further, we propose DASP, a framework for diagnosing and driving the adoption of software security practices among developers. DASP was conceived by combining behavioral science theories to shape a cross-sectional interview study with 28 software practitioners. Our interviews lead to a framework that consists of a comprehensive set of 33 drivers grouped into 7 higher-level categories that represent what needs to happen or change so that the adoption of software security practices occurs. Using the DASP framework, organizations can design interventions suitable for developers' specific development contexts that will motivate them to write more secure code.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.