A Security Practices Evaluation Framework

Morrison, Patrick

doi:10.1109/icse.2015.296

Cited by 10 publications

(3 citation statements)

References 54 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other research teams studied historical data. Morrison [29] defined the Security Practices Evaluation Framework (SP-EF), a measurement framework for software development security activities, and evaluated the framework on historical data and industrial/opensource projects [30]. Kwon and Johnson [21] conducted an empirical analysis of data from 2,386 healthcare organizations to identify how different types of security investment affect subsequent security failures.…”

Section: Software Security Practice Studiesmentioning

confidence: 99%

Infiltrating security into development: exploring the world’s largest software security study

Weir

Migues

Ware

et al. 2021

Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

Recent years have seen rapid increases in cybercrime. The use of effective software security activities plays an important part in preventing the harm involved. Objective research on industry use of software security practices is needed to help development teams, academic researchers, and educators to focus their activities.Since 2008, a team of researchers, including two of the authors, has been gathering objective data on the use of 121 software security activities. The Building Security In Maturity Model (BSIMM) study explores the activity use of 675,000 software developers, in companies including some of the world's largest and most securityfocused.Our analysis of the study data shows little consistent growth in security activity adoption industry-wide until 2015. Since then, the data shows a strong increasing trend, along with the adoption of new activities to support cloud-based deployment, an emphasis on component security, and a reduction in security professionals' policing role. Exploring patterns of adoption, activities related to detecting and responding to vulnerabilities are adopted marginally earlier than activities related to preventing vulnerabilities; and activities related to particular job roles tend to be used together. We also found that 12 developer security activities are adopted early, together, and notably more often than any others.From these results, we offer recommendations for software and security engineers, and corresponding education and research suggestions for academia. These recommendations offer a strong contribution to improving security in development teams in the future. CCS CONCEPTS• Security and privacy → Software security engineering; • Applied computing → Cross-organizational business processes; • Social and professional topics → Industry statistics.

show abstract

Section: Software Security Practice Studiesmentioning

confidence: 99%

Infiltrating security into development: exploring the world’s largest software security study

Weir

Migues

Ware

et al. 2021

Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

show abstract

“…Previous research [108,133,166] emphasized the importance of devising methods to help developers and development companies choose the set of best practices they would follow and help them establish the security process within their organizations.…”

Section: Security Development Lifecycle (Sdl)mentioning

confidence: 99%

“…Available resources for security best practices vary in their organization and their presentation style, e.g., they vary in technical details. Practitioners may find difficulty deciding on best practices to follow and establishing processes within their organizations [108,133,166]. To help frame security practices we identified, we collected recommendations from the sources discussed in Section 2.2 to compose a concise set of best practices.…”

Section: Software Security Best Practicesmentioning

confidence: 99%

The Human Dimension of Software Security and Factors Affecting Security Processes

Assal¹

View full text Add to dashboard Cite

Usable security for software developers is a research direction that is in its early stages. Even though developers typically have technical expertise, they are not necessarily security experts and need support when dealing with security. This thesis focuses on the human aspect of software security within the overall development process. The research employes mixed methods, including Cognitive Walkthrough studies, interviews, and an online survey study. We started by studying usability issues in code analysis tools, and designed a visual analysis environment to support collaboration between team members and exploration during security analysis of source code. However, while working on this project, we recognized that the software security problem is a larger one, relating to the overall process of integrating security in the Software Development Lifecycle. Thus, through 13 interviews and an online survey with 123 software developers, we explored real-life software security practices, how developers acquire security knowledge, and the motivators and deterrents to software security. Based on our empirical studies, we identified recommendations that can help support developers handle security throughout the Software Development Lifecycle. Our qualitative and quantitative analyses showed varying approaches to software security, and clear discrepancies between existing and best practices. Through exploring developers' motivations towards software security, we identified both extrinsic and intrinsic motivations. We found that acting towards software security volitionally and for reasons extending beyond mandates can lead to better security processes and better developer-engagement in these processes. Particularly, our studies showed that when the different entities involved in the Software Development Lifecycle communicate and collaborate, and when security is perceived as a common and shared responsibility, this can positively influence software security, e.g., by promoting internal motivations which are associated with improved engagement and cognitive abilities. Towards promoting the internalization of software security, we proposed a human-oriented model to describe how external software security motivations can be internalized. Our model highlights the interplay between security knowledge, team collaboration, and internal motivations to security. Working on this thesis was a wonderful journey with its fair share of ups and downs. I would like to express my gratitude to all those who have supported me throughout this journey. To my thesis supervisor, Sonia Chiasson, for her continuous support and guidance, and for her insights that helped elevate the quality of this research. Thank you Sonia for always being there, especially in the many sleepless nights before deadlines, and for being a friend, besides being a thesis supervisor. Thanks to the members of my committee, Heather Lipford, Timothy Lethbridge, Alejandro Ramirez, and Robert Biddle whose expertise, guidance, and feedback helped shape this thesis. I would e...

show abstract