Security During Application Development

Thomas, Tyler; Tabassum, Madiha; Chu, Bill; Lipford, Heather Richter

doi:10.1145/3173574.3173836

Cited by 50 publications

(19 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Security Champions in development teams have an interest in security but they are not necessarily security experts or have a formal Security Champion title [33,57,68,70,72,79]. They can positively infuence the security practices of others [19][20][21] often with a bottom-up approach instead of a top-down approach [8,19,55].…”

Section: Related Workmentioning

confidence: 99%

“…Such behaviours and attitudes are valuable in organisations that prioritise security [35]. Peer developers view Security Champions as essential players in software security [70,77,78]. They can be an experienced hacker who helps testers in fnding vulnerabilities [74], an intermediary between the security and development teams [25,70], or the leader in threat modelling activities [10,63].…”

Section: Related Workmentioning

confidence: 99%

“…Peer developers view Security Champions as essential players in software security [70,77,78]. They can be an experienced hacker who helps testers in fnding vulnerabilities [74], an intermediary between the security and development teams [25,70], or the leader in threat modelling activities [10,63]. They are involved in several security-related activities such as educating other developers [31,33,34,38,73], increasing awareness [19,33,34], and promoting the adoption of technologies [31,32,34].…”

Section: Related Workmentioning

confidence: 99%

“…This approach has been explored in software teams with Security Champions [33,68,72]. Security Champions play an intermediary role to facilitate conversations between security and development teams [70].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges

Tahaei

Frik

Vaniea

2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Software development teams are responsible for making and implementing software design decisions that directly impact end-user privacy, a challenging task to do well. Privacy Champions-people who strongly care about advocating privacy-play a useful role in supporting privacy-respecting development cultures. To understand their motivations, challenges, and strategies for protecting end-user privacy, we conducted 12 interviews with Privacy Champions in software development teams. We fnd that common barriers to implementing privacy in software design include: negative privacy culture, internal prioritisation tensions, limited tool support, unclear evaluation metrics, and technical complexity. To promote privacy, Privacy Champions regularly use informal discussions, management support, communication among stakeholders, and documentation and guidelines. They perceive code reviews and practical training as more instructive than general privacy awareness and on-boarding training. Our study is a frst step towards understanding how Privacy Champions work to improve their organisation's privacy approaches and improve the privacy of enduser products. CCS CONCEPTS• Human-centered computing → Empirical studies in collaborative and social computing; • Security and privacy → Usability in security and privacy; • Social and professional topics → Software management.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges

Tahaei

Frik

Vaniea

2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…The identified factors were classified into institutional context, people and action, project content, and software development process factors. Thomas et al [23] addressed the issues that security auditors face during application review for security bugs. The study recommend further support for the development process by providing security-related tools and effective communication tools for developer interactions.…”

Section: Previous Workmentioning

confidence: 99%

Challenges With Developing Secure Mobile Health Applications: Systematic Review

Aljedaani¹,

Babar²

2021

JMIR Mhealth Uhealth

View full text Add to dashboard Cite

Background Mobile health (mHealth) apps have gained significant popularity over the last few years due to their tremendous benefits, such as lowering health care costs and increasing patient awareness. However, the sensitivity of health care data makes the security of mHealth apps a serious concern. Poor security practices and lack of security knowledge on the developers’ side can cause several vulnerabilities in mHealth apps. Objective In this review paper, we aimed to identify and analyze the reported challenges concerning security that developers of mHealth apps face. Additionally, our study aimed to develop a conceptual framework with the challenges for developing secure apps faced by mHealth app development organizations. The knowledge of such challenges can help to reduce the risk of developing insecure mHealth apps. Methods We followed the systematic literature review method for this review. We selected studies that were published between January 2008 and October 2020 since the major app stores launched in 2008. We selected 32 primary studies using predefined criteria and used a thematic analysis method for analyzing the extracted data. Results Of the 1867 articles obtained, 32 were included in this review based on the predefined criteria. We identified 9 challenges that can affect the development of secure mHealth apps. These challenges include lack of security guidelines and regulations for developing secure mHealth apps (20/32, 63%), developers’ lack of knowledge and expertise for secure mHealth app development (18/32, 56%), lack of stakeholders’ involvement during mHealth app development (6/32, 19%), no/little developer attention towards the security of mHealth apps (5/32, 16%), lack of resources for developing a secure mHealth app (4/32, 13%), project constraints during the mHealth app development process (4/32, 13%), lack of security testing during mHealth app development (4/32, 13%), developers’ lack of motivation and ethical considerations (3/32, 9%), and lack of security experts’ engagement during mHealth app development (2/32, 6%). Based on our analysis, we have presented a conceptual framework that highlights the correlation between the identified challenges. Conclusions While mHealth app development organizations might overlook security, we conclude that our findings can help them to identify the weaknesses and improve their security practices. Similarly, mHealth app developers can identify the challenges they face to develop mHealth apps that do not pose security risks for users. Our review is a step towards providing insights into the development of secure mHealth apps. Our proposed conceptual framework can act as a practice guideline for practitioners to enhance secure mHealth app development.

show abstract