Security Responses in Software Development

The pressure on software developers to produce secure software has never been greater. But what does security look like in environments that do not produce security-critical software? In answer to this question, this multi-sited ethnographic study characterizes security episodes and identifies five typical behaviors in software development. Using theory drawn from information security and motivation research in software engineering, this article characterizes key ways in which individual developers form security responses to meet the demands of particular circumstances, providing a framework managers and teams can use to recognize, understand, and alter security activity in their environments.

[1]  K. Beznosov,et al.  SoK: Human, Organizational, and Technological Dimensions of Developers’ Challenges in Engineering Secure Software , 2021, EuroUSEC.

[2]  Andrea J. Bingham How Distributed Leadership Facilitates Technology Integration: A Case Study of “Pilot Teachers” , 2021, Teachers College Record: The Voice of Scholarship in Education.

[3]  Bashar Nuseibeh,et al.  The Case for Adaptive Security Interventions , 2021, ACM Trans. Softw. Eng. Methodol..

[4]  Lynne Blair,et al.  A Passion for Security: Intervening to Help Software Developers , 2021, 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).

[5]  Inger Anne Tøndel,et al.  Using Situational and Narrative Analysis for Investigating the Messiness of Software Security , 2020, ESEM.

[6]  Dirk van der Linden,et al.  The Impact of Surface Features on Choice of (in)Secure Answers by Stackoverflow Readers , 2020, IEEE Transactions on Software Engineering.

[7]  Helen Sharp,et al.  Motivation and Satisfaction of Software Engineers , 2020, IEEE Transactions on Software Engineering.

[8]  Helen Sharp,et al.  Taking the Middle Path: Learning About Security Through Online Social Interaction , 2020, IEEE Software.

[9]  Matthew Smith,et al.  "If you want, I can store the encrypted password": A Password-Storage Field Study with Freelance Developers , 2019, CHI.

[10]  Bashar Nuseibeh,et al.  An Anatomy of Security Conversations in Stack Overflow , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS).

[11]  Bashar Nuseibeh,et al.  "Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice , 2019, 2019 IEEE/ACM 12th International Workshop on Cooperative and Human Aspects of Software Engineering (CHASE).

[12]  Kami Vaniea,et al.  A Survey on Developer-Centred Security , 2019, 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[13]  Christian Rossow,et al.  Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild , 2019, NDSS.

[14]  S. Spiekermann,et al.  Engineering Privacy by Design: Are engineers ready to live up to the challenge? , 2018, Inf. Soc..

[15]  Eran Toch,et al.  Privacy by designers: software developers’ privacy mindset , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[16]  Hal Berghel,et al.  Equifax and the Latest Round of Identity Theft Roulette , 2017, Computer.

[17]  Michelle L. Mazurek,et al.  Developers Need Support, Too: A Survey of Security Advice for Software Developers , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[18]  Matthew Smith,et al.  Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study , 2017, CCS.

[19]  Lizzie Coles-Kemp,et al.  Walking the Line: The Everyday Security Ties that Bind , 2017, HCI.

[20]  Michael Backes,et al.  Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[21]  Katharina Kinder-Kurlanda,et al.  Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group , 2017, CSCW.

[22]  Michelle L. Mazurek,et al.  You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users , 2016, 2016 IEEE Cybersecurity Development (SecDev).

[23]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.

[24]  Helen Sharp,et al.  The Role of Ethnographic Studies in Empirical Software Engineering , 2016, IEEE Transactions on Software Engineering.

[25]  James Noble,et al.  How to Improve the Security Skills of Mobile App Developers? Comparing and Contrasting Expert Views , 2016, WSIW@SOUPS.

[26]  Mira Mezini,et al.  "Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs? , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[27]  Yanyan Zhuang,et al.  It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots , 2014, ACSAC.

[28]  Emerson R. Murphy-Hill,et al.  Technical and Personal Factors Influencing Developers' Adoption of Security Tools , 2014, SIW '14.

[29]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[30]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[31]  Emerson R. Murphy-Hill,et al.  Social influences on secure development tool adoption: why security tools spread , 2014, CSCW.

[32]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[33]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[34]  D. Weir Tales of the Field: On Writing Ethnography , 2013 .

[35]  George E. Marcus,et al.  Multi-sited Ethnography: Five or Six Things I Know About It Now , 2012 .

[36]  Helen Sharp,et al.  The emergence of object-oriented technology: the role of community , 2009, Behav. Inf. Technol..

[37]  Per Runeson,et al.  Guidelines for conducting and reporting case study research in software engineering , 2009, Empirical Software Engineering.

[38]  M. Small `How many cases do I need?' , 2009 .

[39]  Steven Furnell,et al.  From culture to disobedience: Recognising the varying user acceptance of IT security , 2009 .

[40]  Teresa M. Amabile,et al.  Inner work life: understanding the subtext of business performance , 2007, IEEE Engineering Management Review.

[41]  Graham Smith,et al.  Into Cerberus' Lair: Bringing the Idea of Security to Light 1 , 2005 .

[42]  Helen Sharp,et al.  Organisational culture and XP: three case studies , 2005, Agile Development Conference (ADC'05).

[43]  M. Eraut,et al.  Informal learning in the workplace , 2004 .

[44]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[45]  P. M. Hendryx-Bedalov,et al.  Ethnography , 1998 .

[46]  Edgar H. Schein,et al.  Career anchors revisited: Implications for career development in the 21st century , 1996 .

[47]  C. H. Germain Ethnography: Step By Step , 1990 .

[48]  Anwesh Tuladhar,et al.  An Analysis of the Role of Situated Learning in Starting a Security Culture in a Software Company , 2021, SOUPS @ USENIX Security Symposium.

[49]  R. S. Danturthi Security Engineering , 2020, 70 Tips and Tricks for Mastering the CISSP Exam.

[50]  Hernan M. Palombo,et al.  An Ethnographic Understanding of Software (In)Security and a Co-Creation Model to Improve Secure Software Development , 2020, SOUPS @ USENIX Security Symposium.

[51]  Emerson R. Murphy-Hill,et al.  Why Can't Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security , 2020, SOUPS @ USENIX Security Symposium.

[52]  Mary Ellen Zurko,et al.  Empirical Evaluation of Secure Development Processes , 2019 .

[53]  Sonia Chiasson,et al.  Security in the Software Development Lifecycle , 2018, SOUPS @ USENIX Security Symposium.

[54]  Yuriy Brun,et al.  API Blindspots: Why Experienced Developers Write Vulnerable Code , 2018, SOUPS @ USENIX Security Symposium.

[55]  Simon Parkin,et al.  Finding Security Champions in Blends of Organisational Culture , 2017 .

[56]  Colin Robson,et al.  Real world research : a resource for users of social research methods in applied settings , 2011 .

[57]  E. Wenger,et al.  Promoting and assessing value creation in communities and networks: a conceptual framework , 2011 .

[58]  M. Falzon,et al.  Multi-Sited Ethnography : Theory, Praxis and Locality in Contemporary Research , 2009 .

[59]  Helen Sharp,et al.  Models of motivation in software engineering , 2009, Inf. Softw. Technol..

[60]  Daniela E. Damian,et al.  Selecting Empirical Methods for Software Engineering Research , 2008, Guide to Advanced Empirical Software Engineering.

[61]  M. Angrosino Analyzing Ethnographic Data , 2007 .

[62]  E.,et al.  ETHNOGRAPHY IN / OF THE WORLD SYSTEM : The Emergence of Multi-Sited Ethnography , 2002 .

[63]  Mary Dunnewold,et al.  How Many Cases Do I Need , 2001 .

[64]  Helen Sharp,et al.  Software Engineering: Community and Culture , 2000, IEEE Softw..

[65]  Martyn Hammersley,et al.  Ethnography : Principles in Practice , 1983 .

[66]  J. Shaoul Human Error , 1973, Nature.

[67]  J. Friedrich,et al.  Security Engineering: a Guide to Building Dependable Distributed Systems Banking and Bookkeeping , 2022 .