Developers Need Support, Too: A Survey of Security Advice for Software Developers

Acar, Yasemin; Stransky, Christian; Wermke, Dominik; Weir, Charles; Mazurek, Michelle L.; Fahl, Sascha

doi:10.1109/secdev.2017.17

Cited by 91 publications

(78 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The study reported here joins recent calls to understand more about how developers use guidance found on-line [3] and to identify methods for studying developers' security behavior [1]. We hypothesize that social factors are effective in motivating developers to write secure code and postulate that these factors will be evident within interactions undertaken between developers communicating in an on-line community setting.…”

mentioning

confidence: 82%

An investigation of security conversations in stack overflow

López

Tun

Bandara

et al. 2018

Proceedings of the 1st International Workshop on Security Awareness From Design to Deployment

View full text Add to dashboard Cite

Developers turn to Stack Overflow and other on-line sources to find solutions to security problems, but little is known about how they engage with and guide one another in these environments or the perceptions of software security this may encourage. This study joins recent calls to understand more about how developers use Internet sources to solve security problems. Using qualitative methods, a set of questions within the security channel of Stack Overflow were selected and examined for themes. Preliminary findings reveal more about this community of practitioners: who are the askers and commenters, how security questions are asked and how developers frame technical information using social and experience-based perceptions of security. CCS CONCEPTS • Security and privacy → Software security engineering; • Software and its engineering → Collaboration in software development; KEYWORDS secure software development, collaborative environments, empirical studies 1 INTRODUCTION Many real-world security vulnerabilities in software relate to a few known classes of attack such as code injection. A number of practices and technologies for detecting and preventing vulnerabilities in software are likewise established, such as input sanitisation and non-escaping strings. However, it is not clear why many professional software developers do not adopt these practices and technologies as a matter of course. Security is, in part, a social phenomenon. Peer interaction, experience of security failures, and an awareness about the impact of security failures on people's well-being influence the decisions individuals make about whether or not to be secure in their personal lives [10] and on the job [17]. Social interaction is also key to developers' motivation to work; characteristics of the feedback received Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s).

show abstract

mentioning

confidence: 82%

An investigation of security conversations in stack overflow

López

Tun

Bandara

et al. 2018

Proceedings of the 1st International Workshop on Security Awareness From Design to Deployment

View full text Add to dashboard Cite

show abstract

“…One possible strategy to mitigate security smells is to develop concrete guidelines on how to write IaC scripts in a secure manner. When constructing guidelines, the IaC community can take the findings of Acar et al [54] into account, and include easy to understand, task-specific examples on how to write IaC scripts in a secure manner.…”

Section: Use Of Http Without Tlsmentioning

confidence: 99%

The Seven Sins: Security Smells in Infrastructure as Code Scripts

Rahman

Parnin

Williams

2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

143

View full text Add to dashboard Cite

Context: Security smells are coding patterns in source code that are indicative of security weaknesses. As infrastructure as code (IaC) scripts are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users to exploit vulnerabilities in the provisioned systems. Goal: The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts. Methodology: We apply qualitative analysis with 3,339 IaC scripts to identify security smells for IaC scripts written in three languages: Ansible, Chef, and Puppet. We construct a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to automatically identify security smells in 61,097 scripts collected from 1,093 open source software repositories. We also submit bug reports for 1,500 randomly-selected smell occurrences identified from the 61,097 scripts. Results: We identify nine security smells for IaC scripts. By applying SLIC on 61,097 IaC scripts we identify 64,356 occurrences of security smells that included 9,092 hard-coded passwords. We observe agreement for 130 of the responded 187 bug reports, which suggests the relevance of security smells for IaC scripts amongst practitioners. Conclusion: We observe security smells to be prevalent in IaC scripts. We recommend practitioners to rigorously inspect the presence of the identified security smells in IaC scripts using (i) code review, and (ii) static analysis tools.

show abstract

“…One problem is that developers rarely need to use security techniques such as cryptography in their software, and when they do, the APIs are difficult to use [16]. Guidance in online sources used by developers is not comprehensive or robust [17], and often not correct [18]. Activities designed to raise awareness are perceived by developers to be helpful, but may not have lasting impact on teams [19].…”

Section: Introductionmentioning

confidence: 99%

"Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice

López

Sharp

Tun

et al. 2019

2019 IEEE/ACM 12th International Workshop on Cooperative and Human Aspects of Software Engineering (CHASE)

View full text Add to dashboard Cite

Security of software systems is of general concern, yet breaches caused by common vulnerabilities still occur. Software developers are routinely called upon to "do more" to address this situation. However there has been little focus on the developers' point of view, and understanding how security features in their day-to-day activities. This paper reports preliminary findings of semi-structured interviews taken during an ethnographic study of professional software developers in one organization who are not security experts. The overall study aims to understand how security features in day-to-day practice, while analysis of the interview data asks whether developers are responsible for security. The study reveals that awareness around security matters is raised through several paths including processes, standards, practices and company training and that a focus on security is driven by contextual factors. Security is taken care of with policies and through safeguards, and is handled differently depending on whether a team is developing new features, and hence "looking forward", or working with existing code and hence "looking back". Developers take and share responsibility for security in the code, but suggest that their responsibility has limits, and relies on collective practice.

show abstract

Developers Need Support, Too: A Survey of Security Advice for Software Developers

Cited by 91 publications

References 9 publications

An investigation of security conversations in stack overflow

An investigation of security conversations in stack overflow

The Seven Sins: Security Smells in Infrastructure as Code Scripts

"Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice

Contact Info

Product

Resources

About