Can Security Become a Routine?

Poller, Andreas; Kocksch, Laura; Türpe, Sven; Epp, Felix Anand; Kinder-Kurlanda, Katharina

doi:10.1145/2998181.2998191

Cited by 54 publications

(14 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Guidance in online sources used by developers is not comprehensive or robust [17], and often not correct [18]. Activities designed to raise awareness are perceived by developers to be helpful, but may not have lasting impact on teams [19].…”

Section: Introductionmentioning

confidence: 99%

"Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice

López

Sharp

Tun

et al. 2019

2019 IEEE/ACM 12th International Workshop on Cooperative and Human Aspects of Software Engineering (CHASE)

View full text Add to dashboard Cite

Security of software systems is of general concern, yet breaches caused by common vulnerabilities still occur. Software developers are routinely called upon to "do more" to address this situation. However there has been little focus on the developers' point of view, and understanding how security features in their day-to-day activities. This paper reports preliminary findings of semi-structured interviews taken during an ethnographic study of professional software developers in one organization who are not security experts. The overall study aims to understand how security features in day-to-day practice, while analysis of the interview data asks whether developers are responsible for security. The study reveals that awareness around security matters is raised through several paths including processes, standards, practices and company training and that a focus on security is driven by contextual factors. Security is taken care of with policies and through safeguards, and is handled differently depending on whether a team is developing new features, and hence "looking forward", or working with existing code and hence "looking back". Developers take and share responsibility for security in the code, but suggest that their responsibility has limits, and relies on collective practice.

show abstract

Section: Introductionmentioning

confidence: 99%

"Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice

López

Sharp

Tun

et al. 2019

2019 IEEE/ACM 12th International Workshop on Cooperative and Human Aspects of Software Engineering (CHASE)

View full text Add to dashboard Cite

show abstract

“…In most cases, developers treat security as a non-functional requirement that is less critical than delivering features, unless employers or application users impose security compliance [41]. Unfortunately, the delayed consideration of security issues renders it more challenging and expensive to address them in later stages [42].…”

Section: Sources Of Software Quality and Security Issuesmentioning

confidence: 99%

“…On the other hand, lack of security culture in teams and organizations has been identified in [49] and [50] as a significant deterrent to the adoption of security. In addition, organizations that do not provide the necessary resources have been noted to prevent developers from implementing security [42]. For instance, when managers see security as a resource conflict with feature development, developers also perceive implementing security as not worth the time and energy.…”

Section: Sources Of Software Quality and Security Issuesmentioning

confidence: 99%

Security risks in the software development lifecycle: A review

Odera¹,

Otieno²,

Ounza³

2023

World J. Adv. Eng. Technol. Sci.

View full text Add to dashboard Cite

Software security is one of the most critical concerns in modern software development, especially in safety-critical systems whose failure can lead to environmental damage, substantial property, or loss of human lives. In addition, flawed applications have been shown to exhibit unpredictable behavior while software products with numerous vulnerabilities present attack vectors that can be exploited by attackers. To address some of these problems, vulnerability prediction has been deployed for early detection of security risks in the software development lifecycle (SDLC). This can potentially facilitate decision making during the SDLC, resulting in the production of more secure software. Prioritizing security during SDLC permits developers and stakeholders to identify and resolve possible security concerns early on in the process. The aim of this paper is therefore to offer some in-depth review of software systems security issues. In addition, the various measures that have been put in place to mitigate security issues during SDLC are discussed.

show abstract

“…Existing work examining security practices has focused on the issue of usability for end users [3] and for developers [27,39], while other research has focused on identifying the psychological and cognitive factors that lead to security vulnerabilities in code [48]. There is broad agreement in the research community that developers need support in writing secure code [1], and researchers are exploring ways to provide help, for example by raising awareness with software developers about security issues [46,71], or improving engagement by bringing security and engineering teams together [44].…”

Section: Introductionmentioning

confidence: 99%

Security Responses in Software Development

López

Sharp

Tun

et al. 2023

ACM Trans. Softw. Eng. Methodol.

View full text Add to dashboard Cite

The pressure on software developers to produce secure software has never been greater. But what does security look like in environments that don’t produce security-critical software? In answer to this question, this multi-sited ethnographic study characterises security episodes and identifies five typical behaviors in software development. Using theory drawn from information security and motivation research in software engineering, this paper characterizes key ways in which individual developers form security responses to meet the demands of particular circumstances, providing a framework managers and teams can use to recognize, understand and alter security activity in their environments.

show abstract

Can Security Become a Routine?

Cited by 54 publications

References 23 publications

"Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice

"Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice

Security risks in the software development lifecycle: A review

Security Responses in Software Development

Contact Info

Product

Resources

About