Final published version, 679 KB, PDF document
Available under license: CC BY: Creative Commons Attribution 4.0 International License
Research output: Book/Report/Proceedings › Commissioned report
Research output: Book/Report/Proceedings › Commissioned report
}
TY - BOOK
T1 - Developer Essentials
T2 - Top Five Interventions to Support Secure Software Development
AU - Weir, Charles
AU - Rashid, Awais
AU - Noble, James
PY - 2017/3/30
Y1 - 2017/3/30
N2 - Cyber security is a big and increasing problem. Almost every week we hear of a new exploit or security breach that leads to major concerns about our digital infrastructure. Software systems are at the very heart of this digital infrastructure. Therefore, while there may be many commercial, social and practical factors that contribute, it is certain that the decisions of software development teams must have a significant impact on the vulnerability of those systems.In this research we explored ways in which outside actors – such as management, coaches, security teams, industry bodies, and government agencies – may positively influence the security of the software created by development teams, while keeping the development competitive and practically viable. This means that the costs of such 'interventions' need to be acceptable relative to the risks that they address.We interviewed 14 specialists in introducing software security to development teams. Based on a rigorous analysis of their responses, we were surprised to find that three of the most cost effective and scalable interventions are 'cultural interventions' – ones that work to influence the working of development teams, rather than the artefacts they produce:1. Developing a 'threat model' and using that model to achieve commercially negotiated, risk based, agreement how threats are to be addressed;2. A motivational workshop engaging the team with the genuine security problems as they affect their specific projects, while making it clear how they are to address those problems; and3. Continuing 'nudges' to the developers to remind them of the importance of security.The other two low-cost and effective interventions relate to the code produced:4. The use of source code analysis tools; and5. The informed choice of components based on their security quality.We therefore suggest that providing guidelines, technical support and mentoring in each of these five interventions will have a significant effect on improving the security quality of code developed in future.
AB - Cyber security is a big and increasing problem. Almost every week we hear of a new exploit or security breach that leads to major concerns about our digital infrastructure. Software systems are at the very heart of this digital infrastructure. Therefore, while there may be many commercial, social and practical factors that contribute, it is certain that the decisions of software development teams must have a significant impact on the vulnerability of those systems.In this research we explored ways in which outside actors – such as management, coaches, security teams, industry bodies, and government agencies – may positively influence the security of the software created by development teams, while keeping the development competitive and practically viable. This means that the costs of such 'interventions' need to be acceptable relative to the risks that they address.We interviewed 14 specialists in introducing software security to development teams. Based on a rigorous analysis of their responses, we were surprised to find that three of the most cost effective and scalable interventions are 'cultural interventions' – ones that work to influence the working of development teams, rather than the artefacts they produce:1. Developing a 'threat model' and using that model to achieve commercially negotiated, risk based, agreement how threats are to be addressed;2. A motivational workshop engaging the team with the genuine security problems as they affect their specific projects, while making it clear how they are to address those problems; and3. Continuing 'nudges' to the developers to remind them of the importance of security.The other two low-cost and effective interventions relate to the code produced:4. The use of source code analysis tools; and5. The informed choice of components based on their security quality.We therefore suggest that providing guidelines, technical support and mentoring in each of these five interventions will have a significant effect on improving the security quality of code developed in future.
KW - Security intervention
KW - intervention
KW - software development team
KW - software development
KW - programming team
KW - grounded theory
KW - secure development
KW - secure software
KW - software engineering
KW - software security
KW - economic software security
KW - human centered security
M3 - Commissioned report
BT - Developer Essentials
PB - Lancaster University
CY - Lancaster
ER -