'Think secure from the beginning': A Survey with Software Developers

Vulnerabilities persist despite existing software security initiatives and best practices. This paper focuses on the human factors of software security, including human behaviour and motivation. We conducted an online survey to explore the interplay between developers and software security processes, e.g., we looked into how developers influence and are influenced by these processes. Our data included responses from 123 software developers currently employed in North America who work on various types of software applications. Whereas developers are often held responsible for security vulnerabilities, our analysis shows that the real issues frequently stem from a lack of organizational or process support to handle security throughout development tasks. Our participants are self-motivated towards software security, and the majority did not dismiss it but identified obstacles to achieving secure code. Our work highlights the need to look beyond the individual, and take a holistic approach to investigate organizational issues influencing software security.

[1]  P. Chisnall Mail and Internet Surveys: The Tailored Design Method , 2007, Journal of Advertising Research.

[2]  Andreas Jacobsson,et al.  A Novel Security-Enhanced Agile Software Development Process Applied in an Industrial Setting , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[3]  Luc G. Pelletier,et al.  Work Extrinsic and Intrinsic Motivation Scale: Its value for organizational psychology research. , 2009 .

[4]  A. Nederhof Methods of coping with social desirability bias: A review. , 1985 .

[5]  Michelle L. Mazurek,et al.  You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users , 2016, 2016 IEEE Cybersecurity Development (SecDev).

[6]  Yuriy Brun,et al.  API Blindspots: Why Experienced Developers Write Vulnerable Code , 2018, SOUPS @ USENIX Security Symposium.

[7]  Emerson R. Murphy-Hill,et al.  Social influences on secure development tool adoption: why security tools spread , 2014, CSCW.

[8]  R. Weisberg A-N-D , 2011 .

[9]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[10]  Bill Chu,et al.  Security During Application Development: an Application Security Expert Perspective , 2018, CHI.

[11]  Gentrit Berisha,et al.  Defining Small and Medium Enterprises: a critical review , 2015 .

[12]  Emerson R. Murphy-Hill,et al.  A study of interactive code annotation for access control vulnerabilities , 2015, 2015 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[13]  James Noble,et al.  I'd Like to Have an Argument, Please:Using Dialectic for Effective App Security , 2017 .

[14]  Thomas D. LaToza,et al.  On the importance of understanding the strategies that developers use , 2010, CHASE '10.

[15]  Marco Pistoia,et al.  ALETHEIA: Improving the Usability of Static Security Analysis , 2014, CCS.

[16]  Sebastian Möller,et al.  Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse , 2018, SOUPS @ USENIX Security Symposium.

[17]  Paul C. van Oorschot,et al.  SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[18]  Atreyi Kankanhalli,et al.  Investigation of IS professionals' intention to practise secure development of applications , 2007, Int. J. Hum. Comput. Stud..

[19]  Michael Backes,et al.  How Internet Resources Might Be Helping You Develop Faster but Less Securely , 2017, IEEE Security & Privacy.

[20]  Jing Xie,et al.  Evaluating interactive support for secure programming , 2012, CHI.

[21]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[22]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[23]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[24]  Emerson R. Murphy-Hill,et al.  Questions developers ask while diagnosing potential security vulnerabilities with static analysis , 2015, ESEC/SIGSOFT FSE.

[25]  Jing Xie,et al.  Why do programmers make security errors? , 2011, 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[26]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[27]  Michael Backes,et al.  A Stitch in Time: Supporting Android Developers in WritingSecure Code , 2017, CCS.

[28]  Andy P. Field,et al.  Discovering Statistics Using Ibm Spss Statistics , 2017 .

[29]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[30]  Emerson R. Murphy-Hill,et al.  Interactive Code Annotation for Security Vulnerability Detection , 2014, SIW '14.

[31]  Randolph G. Bias,et al.  Research Methods for Human-Computer Interaction , 2010, J. Assoc. Inf. Sci. Technol..

[32]  Yanyan Zhuang,et al.  It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots , 2014, ACSAC.

[33]  Paul C. van Oorschot,et al.  The developer is the enemy , 2009, NSPW '08.

[34]  H. Kaiser,et al.  Little Jiffy, Mark Iv , 1974 .

[35]  Michael Backes,et al.  Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[36]  Hala Assal,et al.  The Human Dimension of Software Security and Factors Affecting Security Processes , 2018 .

[37]  Sven Türpe Idea: Usable Platforms for Secure Programming - Mining Unix for Insight and Guidelines , 2016, ESSoS.

[38]  Sonia Chiasson,et al.  Security in the Software Development Lifecycle , 2018, SOUPS @ USENIX Security Symposium.

[39]  Matthew Smith,et al.  Deception Task Design in Developer Password Studies: Exploring a Student Sample , 2018, SOUPS @ USENIX Security Symposium.

[40]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[41]  Emerson R. Murphy-Hill,et al.  Technical and Personal Factors Influencing Developers' Adoption of Security Tools , 2014, SIW '14.

[42]  Emerson R. Murphy-Hill,et al.  What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool , 2016, WSIW@SOUPS.

[43]  Felix FX Lindner,et al.  Vulnerability Extrapolation: Assisted Discovery of Vulnerabilities Using Machine Learning , 2011, WOOT.

[44]  Guillermo L. Grinblat,et al.  Toward Large-Scale Vulnerability Discovery using Machine Learning , 2016, CODASPY.

[45]  Jing Xie,et al.  ASIDE: IDE support for web application security , 2011, ACSAC '11.

[46]  W. Klein,et al.  Unrealistic Optimism: Present and Future , 1996 .

[47]  Harry N. Boone,et al.  Analyzing Likert Data , 2012, Journal of Extension.

[48]  Lorrie Faith Cranor,et al.  Improving App Privacy: Nudging App Developers to Protect User Privacy , 2014, IEEE Security & Privacy.

[49]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[50]  Lars Lundberg,et al.  Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter? , 2009, 2009 International Conference on Availability, Reliability and Security.

[51]  Simson L. Garfinkel,et al.  Usable Security: History, Themes, and Challenges , 2014, Usable Security: History, Themes, and Challenges.

[52]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[53]  R. Gonzalez Applied Multivariate Statistics for the Social Sciences , 2003 .

[54]  Michelle L. Mazurek,et al.  Developers Need Support, Too: A Survey of Security Advice for Software Developers , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[55]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[56]  H. Kaiser A second generation little jiffy , 1970 .

[57]  Simon N. Foley,et al.  Developer-centered security and the symmetry of ignorance , 2017, NSPW.

[58]  Young U. Ryu,et al.  Unrealistic optimism on information security management , 2012, Comput. Secur..

[59]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.

[60]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[61]  Steffen Bartsch,et al.  Practitioners' Perspectives on Security in Agile Development , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[62]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[63]  Emerson Murphy-Hill,et al.  How Developers Diagnose Potential Security Vulnerabilities with a Static Analysis Tool , 2019, IEEE Transactions on Software Engineering.

[64]  Aurelien Delaitre,et al.  Report on the Static Analysis Tool Exposition (SATE) IV , 2013 .