A Survey on Developer-Centred Security

Software developers are key players in the security ecosystem as they produce code that runs on millions of devices. Yet we continue to see insecure code being developed and deployed on a regular basis despite the existence of support infrastructures, tools, and research into common errors. This work provides a systematised overview of the relatively new field of Developer-Centred Security which aims to understand the context in which developers produce security-relevant code as well as provide tools and processes that that better support both developers and secure code production. We report here on a systematic literature review of 49 publications on security studies with software developer participants. We provide an overview of both the types of methodologies currently being used as well as the current research in the area. Finally, we also provide recommendations for future work in Developer-Centred Security.

[1]  Erik Derr,et al.  Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android , 2017, CCS.

[2]  Zhao Yang Dong,et al.  The 2015 Ukraine Blackout: Implications for False Data Injection Attacks , 2017, IEEE Transactions on Power Systems.

[3]  Bill Chu,et al.  Supporting secure programming in web applications through interactive static analysis , 2013, Journal of advanced research.

[4]  Ivan Flechais,et al.  Usable Security: Why Do We Need It? How Do We Get It? , 2005 .

[5]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[6]  Thomas D. LaToza,et al.  Programmers Are Users Too: Human-Centered Methods for Improving Programming Tools , 2016, Computer.

[7]  Matthew Smith,et al.  "If you want, I can store the encrypted password": A Password-Storage Field Study with Freelance Developers , 2019, CHI.

[8]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[9]  Janne Lindqvist,et al.  Should I Protect You? Understanding Developers' Behavior to Privacy-Preserving APIs , 2014 .

[10]  Simon N. Foley,et al.  Developer-centered security and the symmetry of ignorance , 2017, NSPW.

[11]  Bill Chu,et al.  Security During Application Development: an Application Security Expert Perspective , 2018, CHI.

[12]  Walid Maalej,et al.  Us and them: a study of privacy requirements across north america, asia, and europe , 2014, Software Engineering & Management.

[13]  Line Dubé,et al.  Rigor in Information Systems Positivist Case Research: Current Practices , 2003, MIS Q..

[14]  Wouter Joosen,et al.  Does organizing security patterns focus architectural choices? , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[15]  Gustav Boström,et al.  Security Engineering and eXtreme Programming: An Impossible Marriage? , 2004, XP/Agile Universe.

[16]  Philip E. T. Lewis,et al.  Research Methods for Business Students , 2006 .

[17]  Luigi Lo Iacono,et al.  I Do and I Understand. Not Yet True for Security APIs. So Sad , 2017 .

[18]  Nalin Asanka Gamagedara Arachchilage,et al.  Understanding user privacy expectations: A software developer's perspective , 2018, Telematics Informatics.

[19]  Tamara Denning,et al.  IDE Plugins for Detecting Input-Validation Vulnerabilities , 2017, 2017 IEEE Security and Privacy Workshops (SPW).

[20]  Yanyan Zhuang,et al.  It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots , 2014, ACSAC.

[21]  Lorrie Faith Cranor,et al.  The Privacy and Security Behaviors of Smartphone App Developers , 2014 .

[22]  Paul C. van Oorschot,et al.  The developer is the enemy , 2009, NSPW '08.

[23]  W. Michael Petullo,et al.  Improving Application Security through TLS-Library Redesign , 2015, SPACE.

[24]  Matthew Smith,et al.  To Pin or Not to Pin-Helping App Developers Bullet Proof Their TLS Connections , 2015, USENIX Security Symposium.

[25]  Stuart E. Schechter,et al.  Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them , 2013 .

[26]  Emerson R. Murphy-Hill,et al.  Questions developers ask while diagnosing potential security vulnerabilities with static analysis , 2015, ESEC/SIGSOFT FSE.

[27]  Jing Xie,et al.  ASIDE: IDE support for web application security , 2011, ACSAC '11.

[28]  Thomas Groß,et al.  Cyber Security and Privacy Experiments: A Design and Reporting Toolkit , 2017, Privacy and Identity Management.

[29]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[30]  Steffen Bartsch,et al.  Practitioners' Perspectives on Security in Agile Development , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[31]  William Pugh,et al.  A report on a survey and study of static analysis users , 2008, DEFECTS '08.

[32]  Emerson Murphy-Hill,et al.  How Developers Diagnose Potential Security Vulnerabilities with a Static Analysis Tool , 2019, IEEE Transactions on Software Engineering.

[33]  Christian Bird,et al.  What developers want and need from program analysis: An empirical study , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[34]  Akira Yamada,et al.  Self-Confidence Trumps Knowledge: A Cross-Cultural Study of Security Behavior , 2017, CHI.

[35]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[36]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[37]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[38]  Sebastian Möller,et al.  Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse , 2018, SOUPS @ USENIX Security Symposium.

[39]  Mary Shaw,et al.  The state of the art in end-user software engineering , 2011, ACM Comput. Surv..

[40]  Jing Xie,et al.  Why do programmers make security errors? , 2011, 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[41]  Emerson R. Murphy-Hill,et al.  Technical and Personal Factors Influencing Developers' Adoption of Security Tools , 2014, SIW '14.

[42]  Margaret M. Burnett,et al.  A practical guide to controlled experiments of software engineering tools with human participants , 2013, Empirical Software Engineering.

[43]  Marc Langheinrich,et al.  Privacy by Design - Principles of Privacy-Aware Ubiquitous Systems , 2001, UbiComp.

[44]  Jun Zhu,et al.  Interactive support for secure programming education , 2013, SIGCSE '13.

[45]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[46]  Lutz Prechelt,et al.  Plat_Forms: A Web Development Platform Comparison by an Exploratory Experiment Searching for Emergent Platform Properties , 2011, IEEE Transactions on Software Engineering.

[47]  James Noble,et al.  How to Improve the Security Skills of Mobile App Developers? Comparing and Contrasting Expert Views , 2016, WSIW@SOUPS.

[48]  Robert K. Yin,et al.  Case Study Research and Applications: Design and Methods , 2017 .

[49]  Heather Richter Lipford,et al.  Comparing Educational Approaches to Secure programming: Tool vs. TA , 2017, SOUPS.

[50]  J. Hayes,et al.  A Cognitive Process Theory of Writing , 1981, College Composition & Communication.

[51]  Laurie Williams,et al.  Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices , 2016, 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED).

[52]  Kat Krol,et al.  Towards Robust Experimental Design for User Studies in Security and Privacy , 2016 .

[53]  Christopher B. Mayhorn,et al.  Quantifying developers' adoption of security tools , 2015, ESEC/SIGSOFT FSE.

[54]  Yuriy Brun,et al.  API Blindspots: Why Experienced Developers Write Vulnerable Code , 2018, SOUPS @ USENIX Security Symposium.

[55]  Emerson R. Murphy-Hill,et al.  Social influences on secure development tool adoption: why security tools spread , 2014, CSCW.

[56]  Katharina Kinder-Kurlanda,et al.  Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group , 2017, CSCW.

[57]  Matthew Smith,et al.  Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study , 2017, CCS.

[58]  Jun Zhu,et al.  Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course , 2015, SIGCSE.

[59]  Cliff B. Jones,et al.  Dependable and Historic Computing - Essays Dedicated to Brian Randell on the Occasion of His 75th Birthday , 2011, Dependable and Historic Computing.

[60]  Jing Xie,et al.  Evaluating interactive support for secure programming , 2012, CHI.

[61]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[62]  Eric Bodden,et al.  jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications , 2015, RAID.

[63]  Katy Bennett,et al.  Interviews and Focus Groups , 2001 .

[64]  Eran Toch,et al.  Privacy by designers: software developers’ privacy mindset , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[65]  Sonia Chiasson,et al.  Security in the Software Development Lifecycle , 2018, SOUPS @ USENIX Security Symposium.

[66]  David A. Wagner,et al.  An Empirical Study on the Effectiveness of Security Code Review , 2013, ESSoS.

[67]  Michael Backes,et al.  A Stitch in Time: Supporting Android Developers in WritingSecure Code , 2017, CCS.

[68]  Benjamin Livshits,et al.  Just-in-time static analysis , 2016, ISSTA.

[69]  Sven Türpe,et al.  Penetration Tests a Turning Point in Security Practices? Organizational Challenges and Implications in a Software Development Team , 2016, WSIW@SOUPS.

[70]  Emerson R. Murphy-Hill,et al.  What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool , 2016, WSIW@SOUPS.

[71]  Nite Tanzarn Interviews and Focus Groups , 2008 .

[72]  Marco Pistoia,et al.  ALETHEIA: Improving the Usability of Static Security Analysis , 2014, CCS.

[73]  Chitu Okoli,et al.  A Guide to Conducting a Standalone Systematic Literature Review , 2015, Commun. Assoc. Inf. Syst..

[74]  Ara Darzi,et al.  Cybersecurity and healthcare: how safe are we? , 2017, British Medical Journal.

[75]  Emerson R. Murphy-Hill,et al.  A study of interactive code annotation for access control vulnerabilities , 2015, 2015 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[76]  Nalin Asanka Gamagedara Arachchilage,et al.  Why developers cannot embed privacy into software systems?: An empirical investigation , 2018, EASE.

[77]  Mira Mezini,et al.  "Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs? , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[78]  Austen Rainer,et al.  Case Study Research in Software Engineering - Guidelines and Examples , 2012 .

[79]  Matthew Smith,et al.  Deception Task Design in Developer Password Studies: Exploring a Student Sample , 2018, SOUPS @ USENIX Security Symposium.

[80]  Robert Biddle,et al.  Cesar: Visual representation of source code vulnerabilities , 2016, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec).

[81]  Wouter Joosen,et al.  Do Security Patterns Really Help Designers? , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[82]  Kami Vaniea,et al.  Tales of Software Updates: The process of updating software , 2016, CHI.

[83]  Michelle L. Mazurek,et al.  Security Developer Studies with GitHub Users: Exploring a Convenience Sample , 2017, SOUPS.

[84]  Darko Marinov,et al.  Trade-offs in continuous integration: assurance, security, and flexibility , 2017, ESEC/SIGSOFT FSE.

[85]  Mary Frances Theofanos,et al.  "We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products , 2018, SOUPS @ USENIX Security Symposium.

[86]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.