Home > Research > Publications & Outputs > Developer Essentials

Electronic data

  • InterventionsShortReport

    Final published version, 678 KB, PDF-document

    Available under license: CC BY: Creative Commons Attribution 4.0 International License

View graph of relations

Developer Essentials: Top Five Interventions to Support Secure Software Development

Research output: Book/Report/ProceedingsCommissioned report

Published

Standard

Developer Essentials : Top Five Interventions to Support Secure Software Development. / Weir, Charles; Rashid, Awais; Noble, James.

Lancaster : Lancaster University, 2017. 9 p.

Research output: Book/Report/ProceedingsCommissioned report

Harvard

APA

Vancouver

Author

Bibtex

@book{ae0b7642f8234c65af0842149a75a130,
title = "Developer Essentials: Top Five Interventions to Support Secure Software Development",
abstract = "Cyber security is a big and increasing problem. Almost every week we hear of a new exploit or security breach that leads to major concerns about our digital infrastructure. Software systems are at the very heart of this digital infrastructure. Therefore, while there may be many commercial, social and practical factors that contribute, it is certain that the decisions of software development teams must have a significant impact on the vulnerability of those systems.In this research we explored ways in which outside actors – such as management, coaches, security teams, industry bodies, and government agencies – may positively influence the security of the software created by development teams, while keeping the development competitive and practically viable. This means that the costs of such 'interventions' need to be acceptable relative to the risks that they address.We interviewed 14 specialists in introducing software security to development teams. Based on a rigorous analysis of their responses, we were surprised to find that three of the most cost effective and scalable interventions are 'cultural interventions' – ones that work to influence the working of development teams, rather than the artefacts they produce:1. Developing a 'threat model' and using that model to achieve commercially negotiated, risk based, agreement how threats are to be addressed;2. A motivational workshop engaging the team with the genuine security problems as they affect their specific projects, while making it clear how they are to address those problems; and3. Continuing 'nudges' to the developers to remind them of the importance of security.The other two low-cost and effective interventions relate to the code produced:4. The use of source code analysis tools; and5. The informed choice of components based on their security quality.We therefore suggest that providing guidelines, technical support and mentoring in each of these five interventions will have a significant effect on improving the security quality of code developed in future.",
keywords = "Security intervention, intervention, software development team, software development, programming team, grounded theory, secure development, secure software, software engineering, software security, economic software security, human centered security",
author = "Charles Weir and Awais Rashid and James Noble",
year = "2017",
month = "3",
day = "30",
language = "English",
publisher = "Lancaster University",

}

RIS

TY - BOOK

T1 - Developer Essentials

T2 - Top Five Interventions to Support Secure Software Development

AU - Weir, Charles

AU - Rashid, Awais

AU - Noble, James

PY - 2017/3/30

Y1 - 2017/3/30

N2 - Cyber security is a big and increasing problem. Almost every week we hear of a new exploit or security breach that leads to major concerns about our digital infrastructure. Software systems are at the very heart of this digital infrastructure. Therefore, while there may be many commercial, social and practical factors that contribute, it is certain that the decisions of software development teams must have a significant impact on the vulnerability of those systems.In this research we explored ways in which outside actors – such as management, coaches, security teams, industry bodies, and government agencies – may positively influence the security of the software created by development teams, while keeping the development competitive and practically viable. This means that the costs of such 'interventions' need to be acceptable relative to the risks that they address.We interviewed 14 specialists in introducing software security to development teams. Based on a rigorous analysis of their responses, we were surprised to find that three of the most cost effective and scalable interventions are 'cultural interventions' – ones that work to influence the working of development teams, rather than the artefacts they produce:1. Developing a 'threat model' and using that model to achieve commercially negotiated, risk based, agreement how threats are to be addressed;2. A motivational workshop engaging the team with the genuine security problems as they affect their specific projects, while making it clear how they are to address those problems; and3. Continuing 'nudges' to the developers to remind them of the importance of security.The other two low-cost and effective interventions relate to the code produced:4. The use of source code analysis tools; and5. The informed choice of components based on their security quality.We therefore suggest that providing guidelines, technical support and mentoring in each of these five interventions will have a significant effect on improving the security quality of code developed in future.

AB - Cyber security is a big and increasing problem. Almost every week we hear of a new exploit or security breach that leads to major concerns about our digital infrastructure. Software systems are at the very heart of this digital infrastructure. Therefore, while there may be many commercial, social and practical factors that contribute, it is certain that the decisions of software development teams must have a significant impact on the vulnerability of those systems.In this research we explored ways in which outside actors – such as management, coaches, security teams, industry bodies, and government agencies – may positively influence the security of the software created by development teams, while keeping the development competitive and practically viable. This means that the costs of such 'interventions' need to be acceptable relative to the risks that they address.We interviewed 14 specialists in introducing software security to development teams. Based on a rigorous analysis of their responses, we were surprised to find that three of the most cost effective and scalable interventions are 'cultural interventions' – ones that work to influence the working of development teams, rather than the artefacts they produce:1. Developing a 'threat model' and using that model to achieve commercially negotiated, risk based, agreement how threats are to be addressed;2. A motivational workshop engaging the team with the genuine security problems as they affect their specific projects, while making it clear how they are to address those problems; and3. Continuing 'nudges' to the developers to remind them of the importance of security.The other two low-cost and effective interventions relate to the code produced:4. The use of source code analysis tools; and5. The informed choice of components based on their security quality.We therefore suggest that providing guidelines, technical support and mentoring in each of these five interventions will have a significant effect on improving the security quality of code developed in future.

KW - Security intervention

KW - intervention

KW - software development team

KW - software development

KW - programming team

KW - grounded theory

KW - secure development

KW - secure software

KW - software engineering

KW - software security

KW - economic software security

KW - human centered security

M3 - Commissioned report

BT - Developer Essentials

PB - Lancaster University

CY - Lancaster

ER -