Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team's motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a participatory action research field study where we delivered the workshops to three software development organizations and evaluated their effectiveness through interviews beforehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience and that improvement is long‐lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.

[1]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[2]  Katharina Kinder-Kurlanda,et al.  Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group , 2017, CSCW.

[3]  F. Baum,et al.  Participatory action research , 2006, Journal of Epidemiology and Community Health.

[4]  M. Angela Sasse,et al.  "Comply or Die" Is Dead: Long Live Security-Aware Principal Agents , 2013, Financial Cryptography Workshops.

[5]  Michael Backes,et al.  A Stitch in Time: Supporting Android Developers in WritingSecure Code , 2017, CCS.

[6]  Sven Türpe,et al.  The Trouble with Security Requirements , 2017, 2017 IEEE 25th International Requirements Engineering Conference (RE).

[7]  M SuchJose,et al.  Information assurance techniques , 2016 .

[8]  Michelle L. Mazurek,et al.  Security Developer Studies with GitHub Users: Exploring a Convenience Sample , 2017, SOUPS.

[9]  David L. Cooperrider,et al.  Appreciative Inquiry: A Positive Revolution in Change , 2005 .

[10]  Sonia Chiasson,et al.  'Think secure from the beginning': A Survey with Software Developers , 2019, CHI.

[11]  Benjamin Livshits,et al.  Just-in-time static analysis , 2016, ISSTA.

[12]  Sven Türpe,et al.  Penetration Tests a Turning Point in Security Practices? Organizational Challenges and Implications in a Software Development Team , 2016, WSIW@SOUPS.

[13]  Nalin Asanka Gamagedara Arachchilage,et al.  Understanding user privacy expectations: A software developer's perspective , 2018, Telematics Informatics.

[14]  Wayne G. Lutters,et al.  Skills and Characteristics of Successful Cybersecurity Advocates , 2017, SOUPS.

[15]  Meng Li,et al.  Appreciative inquiry: A positive revolution in change , 2011 .

[16]  Fred D. Davis,et al.  Explaining Software Developer Acceptance of Methodologies: A Comparison of Five Theoretical Models , 2002, IEEE Trans. Software Eng..

[17]  Yanyan Zhuang,et al.  It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots , 2014, ACSAC.

[18]  M. Angela Sasse,et al.  "Shadow security" as a tool for the learning organization , 2015, CSOC.

[19]  Nalin Asanka Gamagedara Arachchilage,et al.  Why developers cannot embed privacy into software systems?: An empirical investigation , 2018, EASE.

[20]  Mark A. Tietjen,et al.  Motivation and job satisfaction , 1998 .

[21]  drikkes Comply or die. , 2016 .

[22]  Reidar Conradi,et al.  An empirical study on the utility of formal routines to transfer knowledge and experience , 2001, ESEC/FSE-9.

[23]  Shari Lawrence Pfleeger,et al.  Barriers to Usable Security? Three Organizational Case Studies , 2016, IEEE Security & Privacy.

[24]  Y. R. Smeets Improving the Adoption of Dynamic Web Security Vulnerability Scanners , 2015 .

[25]  Tudor Dumitras,et al.  Some Vulnerabilities Are Different Than Others - Studying Vulnerabilities and Attack Surfaces in the Wild , 2014, RAID.

[26]  Mitsuo Gen,et al.  Genetic algorithms and engineering optimization , 1999 .

[27]  Heather Richter Lipford,et al.  Comparing Educational Approaches to Secure programming: Tool vs. TA , 2017, SOUPS.

[28]  David Geer,et al.  Are Companies Actually Using Secure Development Life Cycles? , 2010, Computer.

[29]  Laurie Williams,et al.  Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices , 2016, 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED).

[30]  Anuj K. Shah,et al.  Some Consequences of Having Too Little , 2012, Science.

[31]  Jing Xie,et al.  Evaluating interactive support for secure programming , 2012, CHI.

[32]  Sylvain Frey,et al.  The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game , 2018, IEEE Transactions on Software Engineering.

[33]  Helen Sharp,et al.  The Role of Ethnographic Studies in Empirical Software Engineering , 2016, IEEE Transactions on Software Engineering.

[34]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[35]  Simson L. Garfinkel,et al.  Lessons Learned from Using an Online Platform to Conduct Large-Scale, Online Controlled Security Experiments with Software Developers , 2017, CSET @ USENIX Security Symposium.

[36]  Jing Xie,et al.  ASIDE: IDE support for web application security , 2011, ACSAC '11.

[37]  RönkköKari,et al.  Cooperative method development , 2008 .

[38]  Jing Xie,et al.  Why do programmers make security errors? , 2011, 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[39]  Kami Vaniea,et al.  Tales of Software Updates: The process of updating software , 2016, CHI.

[40]  Pierre N. Robillard,et al.  The impacts of software process improvement on developers: A systematic review , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[41]  Debi Ashenden,et al.  Security Dialogues: Building Better Relationships between Security and Business , 2016, IEEE Security & Privacy.

[42]  Richard Baskerville,et al.  Investigating Information Systems with Action Research , 1999, Commun. Assoc. Inf. Syst..

[43]  Jose M. Such,et al.  Information assurance techniques: Perceived cost effectiveness , 2016, Comput. Secur..

[44]  James Noble,et al.  Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for Developers , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).

[45]  Paul Ralph,et al.  Grounded Theory in Software Engineering Research: A Critical Review and Guidelines , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[46]  Alexander Felfernig,et al.  Towards Persuasive Technology for Software Development Environments: An Empirical Study , 2012, PERSUASIVE.

[47]  Jose M. Such,et al.  The economics of assurance activities , 2015 .

[48]  Sonia Chiasson,et al.  Security in the Software Development Lifecycle , 2018, SOUPS @ USENIX Security Symposium.

[49]  Yvonne Dittrich,et al.  Cooperative method development , 2008, Empirical Software Engineering.

[50]  James Noble,et al.  Light-Touch Interventions to Improve Software Development Security , 2018, 2018 IEEE Cybersecurity Development (SecDev).

[51]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[52]  John C. Scott,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[53]  Kai Petersen,et al.  Action research as a model for industry-academia collaboration in the software engineering context , 2014, WISE@ASE.

[54]  Wayne G. Lutters,et al.  "It's Scary...It's Confusing...It's Dull": How Cybersecurity Advocates Overcome Negative Perceptions of Security , 2018, SOUPS @ USENIX Security Symposium.

[55]  B. J. Fogg,et al.  A behavior model for persuasive design , 2009, Persuasive '09.

[56]  Christopher B. Mayhorn,et al.  Quantifying developers' adoption of security tools , 2015, ESEC/SIGSOFT FSE.

[57]  Emerson R. Murphy-Hill,et al.  Social influences on secure development tool adoption: why security tools spread , 2014, CSCW.

[58]  Fred D. Davis,et al.  Investigating Determinants of Software Developers' Intentions to Follow Methodologies , 2003, J. Manag. Inf. Syst..

[59]  Kami Vaniea,et al.  A Survey on Developer-Centred Security , 2019, 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[60]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, Int. J. Hum. Comput. Stud..

[61]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[62]  Christian Bird,et al.  What developers want and need from program analysis: An empirical study , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[63]  Erik Derr,et al.  Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android , 2017, CCS.