"Hopefully We Are Mostly Secure": Views on Secure Code in Professional Practice

Security of software systems is of general concern, yet breaches caused by common vulnerabilities still occur. Software developers are routinely called upon to "do more" to address this situation. However there has been little focus on the developers' point of view, and understanding...

Full description

Saved in:
Bibliographic Details
Main Authors: Lopez, Tamara, Sharp, Helen, Tun, Thein, Bandara, Arosha, Levine, Mark, Nuseibeh, Bashar
Format: Conference Proceeding
Language:English
Subjects:
collaborative en vironments
Companies
empirical studies
Interviews
secure software development
Security
Software
Software engineering
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Security of software systems is of general concern, yet breaches caused by common vulnerabilities still occur. Software developers are routinely called upon to "do more" to address this situation. However there has been little focus on the developers' point of view, and understanding how security features in their day-to-day activities. This paper reports preliminary findings of semi-structured interviews taken during an ethnographic study of professional software developers in one organization who are not security experts. The overall study aims to understand how security features in day-to-day practice, while analysis of the interview data asks whether developers are responsible for security. The study reveals that awareness around security matters is raised through several paths including processes, standards, practices and company training and that a focus on security is driven by contextual factors. Security is taken care of with policies and through safeguards, and is handled differently depending on whether a team is developing new features, and hence "looking forward", or working with existing code and hence "looking back". Developers take and share responsibility for security in the code, but suggest that their responsibility has limits, and relies on collective practice.
ISSN:2574-1837
DOI:10.1109/CHASE.2019.00023