"Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice

López, Tamara González; Sharp, Helen; Tun, Thein Than; Bandara, Arosha K.; Levine, Mark; Nuseibeh, Bashar

doi:10.1109/chase.2019.00023

Cited by 18 publications

(18 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our interviews taken with engineers in office environments suggest that developers who are not in specialist cyber security teams often understand, in principle, how to counter common vulnerabilities, and have an awareness of the need to protect information for companies and for users of software [9]. But at the same time, and in agreement with other findings [11], these developers report that security is not at the forefront of their daily activity or decision making.…”

Section: Introductionsupporting

confidence: 80%

“…The interactions and conversations we have observed within office settings [9] and comment streams on Stack Overflow [7], [8] suggest that secure coding practice is supported in both kinds of environment through personal networks of practice [14] that operate within larger environments. Online, in websites like Stack Overflow, such networks operate within the comment streams attached to question and answer posts.…”

Section: Network Of Practicementioning

confidence: 99%

“…Upvotes are not enough. Developers in the field [9] indicate that while community voting activity in online sources is helpful for isolating promising information, subsequent problem-solving of security problems often requires additional support in the form of personal connections made between individuals.…”

Section: Join In By Lending a Hand Or Asking For Helpmentioning

confidence: 99%

“…Our larger research program is investigating ways to initiate and sustain secure software development practice. In a series of studies, we have shown how developers talk about security in Stack Overflow posts given the "security" tag [7] [8], and examined how security figures into practice within office settings [9]. The approach taken in these studies does not assess the quality of the information about security developers provide to one another, but rather seeks to understand more about how they engage with and guide one another in practice.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Taking the Middle Path: Learning About Security Through Online Social Interaction

et al. 2020

Self Cite

View full text Add to dashboard Cite

As software-intensive digital systems become an integral part of modern life, ensuring that these systems are developed to satisfy security and privacy requirements is an increasingly important societal concern. Integrating security into software development involves more than learning security principles or applying techniques. Security in practice is shaped through experience. It can be integrated into software development by following a middle path, through which developers draw together formal knowledge and software development techniques. Social interactions facilitate this process. This article recommends four strategies developers can use to maximise security in practice using online communities like Stack Overflow, including approaching security from within specific tasks, critically assessing content in posts, actively participating, and bringing online information into real-world situations.

show abstract

Section: Introductionsupporting

confidence: 80%

Section: Network Of Practicementioning

confidence: 99%

Section: Join In By Lending a Hand Or Asking For Helpmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Taking the Middle Path: Learning About Security Through Online Social Interaction

et al. 2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…Applicability. We intend to conduct a more comprehensive empirical study in order to evaluate relevance of the suggested revisions, and compare their acceptability by so ware developers, who may not always follow security practices [38]. In particular, OASIS assumes that the requirements can be expressed in LTL, which might not always be the case, especially for cases relating to complex data structures.…”

Section: Discussionmentioning

confidence: 99%

OASIS: Weakening User Obligations for Security-critical Systems

Tun

Bennaceur

Nuseibeh

2020

2020 IEEE 28th International Requirements Engineering Conference (RE)

Self Cite

View full text Add to dashboard Cite

Incorporating software security: using developer workshops to engage product managers

2022

View full text Add to dashboard Cite

Evidence from data breach reports shows that many competent software development teams still do not implement secure, privacy-preserving software, even though techniques to do so are now well-known. A major factor causing this is simply a lack of priority and resources for security, as decided by product managers. So, how can we help developers and product managers to work together to achieve appropriate decisions on security and privacy issues? This paper explores using structured workshops to support teams of developers in engaging product managers with software security and privacy, even in the absence of security professionals. The research used the Design Based Research methodology. This paper describes and justifies our workshop design and implementation, and describes our thematic coding of both participant interviews and workshop discussions to quantify and explore the workshops’ effectiveness. Based on trials in eight organizations, involving 88 developers, we found the workshops effective in helping development teams to identify, promote, and prioritize security issues with product managers. Comparisons between organizations suggested that such workshops are most effective with groups with limited security expertise, and when led by the development team leaders. We also found workshop participants needed minimal guidance to identify security threats, and a wide range of ways to promote possible security improvements. Empowering developers and product managers in this way offers a powerful grassroots approach to improve software security worldwide.

show abstract

"Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice

Cited by 18 publications

References 28 publications

Taking the Middle Path: Learning About Security Through Online Social Interaction

Taking the Middle Path: Learning About Security Through Online Social Interaction

OASIS: Weakening User Obligations for Security-critical Systems

Incorporating software security: using developer workshops to engage product managers

Contact Info

Product

Resources

About