Understanding Developer Security Archetypes

Ryan, Ita; Roedig, Utz; Stol, Klaas-Jan

doi:10.1109/encycris52570.2021.00013

Cited by 5 publications

(13 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Tahaei et al [34] examined the experience of privacy 'champions' in software teams, finding that they play an important advocacy role. Ryan et al [35] identified a 'hero' software security archetype; a coder struggling to introduce secure coding practices in a security-hostile environment. Such environments are difficult to study, since most security experts work in roles where security is already a focus [36].…”

Section: B Security Culturementioning

confidence: 99%

Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon

Ryan

Roedig

Stol

2023

2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

Software security research has a core problem: it is impossible to prove the security of complex software. A low number of known defects may simply indicate that the software has not been attacked yet, or that successful attacks have not been detected. A high defect count may be the result of white-hat hacker targeting, or of a successful bug bounty program which prevented insecurities from persisting in the wild. This makes it difficult to measure the security of non-trivial software. Researchers instead usually measure effort directed towards ensuring software security. However, different researchers use their own tailored measures, usually devised from industry secure coding guidelines. Not only is there no agreed way to measure effort, there is also no agreement on what effort entails. Qualitative studies emphasise the importance of security culture in an organisation. Where software security practices are introduced solely to ensure compliance with legislative or industry standards, a box-ticking attitude to security may result. The security culture may be weak or non-existent, making it likely that precautions not explicitly mentioned in the standards will be missed. Thus, researchers need both a way to assess software security practice and a way to measure software security culture. To assess security practice, we converted the empirically-established 12 most common software security activities into questions. To assess security culture, we devised a number of questions grounded in prior literature. We ran a secure development survey with both sets of questions, obtaining organic responses from 1,100 software coders in 59 countries. We used proven common activities to assess security practice, and made a first attempt to quantitatively assess aspects of security culture in the broad developer population. Our results show that some coders still work in environments where there is little to no attempt to ensure code security. Security practice and culture do not always correlate, and some organisations with strong secure coding practice have weak secure coding culture. This may lead to problems in defect prevention and sustained software security effort.

show abstract

Section: B Security Culturementioning

confidence: 99%

Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon

Ryan

Roedig

Stol

2023

2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

show abstract

“…The result is four archetypes: a) pragmatists, who are unmotivated but have resources, b) optimists, who are neither motivated nor have resources, c) champions, who are motivated and have resources, and d) heroes, who are motivated but do not have resources. Their position is that developers are not homogenous and need to have their differences represented [29]. Although the idea that developers are not homogenous is also considered valid in the present study, a key distinction between Ryan et al's work and the focus of this thesis is that Ryan et al focus on two-dimensional developer archetypes, while the focus of this thesis is the creation of a framework to guide the persona creation process.…”

Section: Security Focused Developer Characteristicsmentioning

confidence: 76%

“…There is limited research on the creation of personas for software developers from the lens of software security within the Developer Centered Security (DCS) literature, a field that studies Human-Computer Interaction methods in conjunction to software development and security [27,28]. Prior research either focuses on preconceived dimensions of software developers [20,29], or it focuses on developers who are already security conscious (security champions) [30] (see section 2.3). Additionally, there are numerous research contributions [31,32,33,34,35,36,37,38] that focus on (a) a particular aspect of software security, and (b) the developer characteristics that may result in that behaviour, such as developer security decision making [33,39], or security rationale [36].…”

Section: List Of Figuresmentioning

confidence: 99%

“…A number of past studies [20,29,30,64,65] have investigated the idea of categorizing software developers into distinct groups, based on a range or set of characteristics.…”

Section: Security Focused Developer Characteristicsmentioning

confidence: 99%

“…These findings are encouraging as they can potentially formulate persona dimensions; however, this study is focused on defining cybersecurity advocates, and the findings may therefore not extend to all software developers. Furthermore, Ryan et al [29] focus specifically on categorizing developers from a security perspective and develop a mapping of security developer archetypes with two dimensions: support from the environment, and personal security interest. The result is four archetypes: a) pragmatists, who are unmotivated but have resources, b) optimists, who are neither motivated nor have resources, c) champions, who are motivated and have resources, and d) heroes, who are motivated but do not have resources.…”

Section: Security Focused Developer Characteristicsmentioning

confidence: 99%

See 2 more Smart Citations

Towards Security-Focused Developer Personas

Karanassios

View full text Add to dashboard Cite

Usability issues are one of the reasons behind the lack of security testing tool adoption by software developers. The design of security testing tools by Security Software Creators (SSCs) can be strengthened through the use of security focused developer personas which allow an improved understanding of software developer behaviour. Despite the widespread use of personas in other fields, limited research exists that specifically tailors personas to software developers from a security perspective. This research uses an interview study with 20 participants to explore 18 security focused developer persona dimensions, as well as a survey study with 40 participants to identify a range of dimension-specific information.Based on the results from the two studies, we developed a security focused developer persona framework that provides SSCs with a structured approach to create securityfocused developer personas.I would also like to thank my thesis defence committee members -Dr. Elizabeth Stobert, and Dr. Alejandro Ramirez. Their insights and constructive critique have greatly enriched my work and contributed to its successful completion. Additionally, I would like to thank Dr. Alan Tsang for chairing the defence.Furthermore, I would like to acknowledge the academic community and Carleton University for providing the necessary resources and opportunities to pursue this research.Without their commitment to education and research, this thesis would not have been possible. Thank you all for your contributions, and I am truly grateful for the impact you have had on my academic and personal growth.

show abstract